Connection to Salesforce with ECA

This is a step-by-step guide on how to implement the ECA solution to establish a new connection with CodeScan.

1) Pre-req: get your Callback URL (redirect URI)

For AutoRABIT’s CodeScan ECA setup, you need the callback URL

Callback URL is depending on the instance:

{$isntancename}/_codescan/oauth2/authorize

Example:

https://perf.codescan.io/_codescan/oauth2/authorize

2) Create the External Client App (ECA) in your Salesforce Org

1. Login into Salesforce

1. In Salesforce, go to Setup.

2. In Quick Find, search External Client Apps.

3. Open External Client App Manager (or the External Client Apps area).

1. Click New External Client App.

2. Fill in the basics:

   • Name / Label ( e.g. AR_Local)

   • API Name (auto-filled)

   • Contact Email

   • Distribution State:

     • Local (only for this org)

3) Enable OAuth + set callback URL + scopes

1. Click Enable OAuth (or expand API (Enable OAuth Settings) and check Enable OAuth).

2. Set *Callback URL

   The URL you collected in step 1.

3. Choose OAuth Scopes:

   • Access the identity URL service (id, profile, email, address, phone)

   • Manage user data via APIs (api)

   • Manage user data via Web browsers (web)

   • Perform requests at any time (refresh_token, offline_access)

4) Turnment

1. In Flow Enablement, select Enable Authorization Code and Credentials Flow.

2. user credentials are required in the POST body (Salesforce shows this option when you choose that flow) should be disabled.

5) Security toggles (common defaults)

In the Security section the next options should be enabled:

• Require secret for Web Server Flow

• Require secret for Refresh Token Flow

6) Create the app and capture Client ID / Secret

1. Click Create.

2. Open the app’s Settings tab and locate Consumer Key and Secret:

   • Consumer Key = Client ID

   • Consumer Secret = Client Secret

When you click the button for Consumer Key and Secret a code will be sent to the registered email for the user creating the configuration

After getting the code and verify in Salesforce the Consumer Key (CliendID) and Consumer Secret (Client Secret) will be displayed.

7) Configure Policies

After creating the ECA, open the Policies tab and adjust as needed (exact options vary by org/security posture), commonly:

• Permitted Users: often set to Admin approved users are pre-authorized for controlled rollouts.

• Add the required profiles/permission sets (or approved users) for who is allowed to authorize.

8) What you’ll use in AutoRABIT

Once created, the set of values you’ll reference in your CodeScan configuration are:

• Client ID

• Client Secret

Also, the internal direction is to be clear that one ECA per customer org can be used across products (rather than creating one per AR product).

After the configuration in salesforce is complete, and you have obtained the ClientID and Client Secret, we can go to CodeScan to create the connection

In Project analysis click on Add Analysis Project

If no previous connections are found or the required org is not present in the Connection list, a message to go into the Salesforce Connections page is displayed.

If that is the case, go in the Salesforce Connections page, click on the existing connection or click on the Create connection button

Create the connections filling the required information obtained from Salesforce.

Once the connection is created, go back into adding a new Analysis page and click again in Add Analysis Project and select the desired connection.

Once the Confirm button is clicked a salesforce login is shown to login with the user we intend to use for the analysis.

A message from Salesforce will show to require granting the permissions for the user to use the scopes we defined in the ECA, Click in Allow

Then, you will be returned to configure the new Analysis, fill up the form.

Then the analysis with the connection will be added to the list: