• Salesforce OAuth Provisioning Integration
• Okta Integration Network (OIN)
• Configuration guide

Review the linked video for a demonstration of this solution. 

The following are the steps to integrate Salesforce Provisioning in Okta. 

1. Create an administrator account in Salesforce. This account is required to create the OAuth consumer key and consumer secret used in Salesforce REST integration. If there is a question about this, please contact the Salesforce Support Team for further assistance. 

2. In Salesforce, create a connected app, enabling OAuth Settings for API Integration:

   1. Create a Connected App, configuring Basic Connected App Settings.

1. 2. Enable OAuth Settings for API Integration

      1. Enable OAuth settings: enabled

      2. Enable for Device Flow: disabled

      3. Callback URL: https://system-admin.okta.com/admin/app/generic/oauth20redirect

      4. Use digital signatures: disabled

      5. Selected OAuth scopes:

         • Manage user data via APIs (api)

         • Perform requests at any time (refresh_token, offline_access)

      6. Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows: disabled

      7. Require Secret for Web Server Flow: enabled

      8. Require Secret for Refresh Token Flow: enabled

      9. Introspect All Tokens: disabled

      10. Configure ID Token: disabled

      11. Enable Asset Tokens: disabled

      12. Enable Single Logout: disabled

2. Allow 2-10 minutes for the changes to take effect on the server before using the connected app.
3. Once saved, get the Consumer Key and Consumer Secret under the API (Enable OAuth Settings) section. They will be used to configure the Provisioning in Configuration Steps.
4. Ensure that the Refresh Token Policy is set to Refresh token is valid until revoked. This can be checked by clicking the Manage button on the page where the Consumer Key and Consumer Secret are found. The Salesforce Admin will need to provide the newly generated Salesforce OAuth Consumer Key and OAuth Consumer Secret to the Okta Admin to complete the remaining setup in the Okta Admin Console. 
5. As an Okta Admin, navigate to Okta Admin Console > Application > Salesforce app > Provisioning > Integration section:

1. OAuth Consumer Key - Enter the provided OAuth Consumer Key

2. OAuth Consumer Secret - Enter the provided OAuth Consumer Secret

3. Click the Authenticate with Salesforce.com button. This will open a new Salesforce.com window in pop-up windows. Make sure to turn off the pop-up blocker in the web browser settings. 

4. Enter the administrator’s username and password, which were used to create the Connected OAuth App.

5. Click Allow to allow access to the Connected App.
   
    

6. Click Save to save the OAuth configuration.

The Salesforce integration should now be authenticated.

Should the Salesforce Enable API Integration section ask for a Username and Password, please contact Okta Support, as the newer version operates on Salesforce REST Version 45 and addresses the Salesforce Platform API Versions 21.0 through 30.0 Retirement.

Related References

• Configure OAuth and REST integration
• Salesforce Platform API Versions 21.0 through 30.0 Retirement