Authenticating to FinancialForce APIs
There are several authentication methods available for connecting to FinancialForce: login credentials, SSO, and OAuth.
Authenticating with a Login and Token
Set the User and Password to your login credentials. Additionally, set the SecurityToken. By default, the SecurityToken is required, but you can make it optional by allowing a range of trusted IP addresses.
To disable the security token:
- Log in to FinancialForce and enter Network Access in the Quick Find box in the setup section.
- Add your IP address to the list of trusted IP addresses.
To obtain the security token:
- Open the personal information page on FinancialForce.com.
- Click the link to reset your security token. The token will be emailed to you.
- Specify the security token in the SecurityToken connection property or append it to the Password.
Authenticating with OAuth
If you do not have access to the user name and password or do not want to require them, use the OAuth user consent flow. See Using OAuth Authentication for an authentication guide.
Connecting to FinancialForce APIs
By default, the provider connects to production environments. Set UseSandbox to true to use a FinancialForce sandbox account. Ensure that you specify a sandbox user name in User.
Using OAuth Authentication
OAuth requires the authenticating user to interact with FinancialForce using the browser. The provider facilitates this in various ways as described below.
Custom Credentials
You need to register an app to obtain the OAuthClientId and OAuthClientSecret.
Web Applications
You need to create an OAuth app to use in the web flow. See Creating a Custom OAuth App for the procedure.
Desktop Applications
You need to create an OAuth app. See Creating a Custom OAuth App for the procedure.
Headless Machines
In the headless OAuth flow, users need to authenticate via a browser on another machine. You need to create a custom OAuth app. See Creating a Custom OAuth App for the procedure.
Creating a Custom OAuth App
See Creating a Custom OAuth App for the procedure.
Custom Credentials
This section describes desktop authentication using the credentials for your custom OAuth app. See Creating a Custom OAuth App for more information.
Get an OAuth Access Token
After setting the following, you are ready to connect:
- OAuthClientId: Set to the Client ID in your app settings.
- OAuthClientSecret: Set to the Client Secret in your app settings.
- CallbackURL: Set to the Redirect URL in your app settings.
- InitiateOAuth: Set to GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
- Extracts the access token from the callback URL and authenticates requests.
- Obtains a new access token when the old one expires.
- Saves OAuth values in OAuthSettingsLocation to be persisted across connections.
Web Authentication with Your OAuth App
When connecting via a web application, you need to register a custom OAuth app with FinancialForce. See Creating a Custom OAuth App for more information. You can then use the provider to get and manage the OAuth token values.
Get an OAuth Access Token
Set the following connection properties to obtain the OAuthAccessToken:
- OAuthClientId: Set to the Client ID in your app settings.
- OAuthClientSecret: Set to the Client Secret in your app settings.
You can then call stored procedures to complete the OAuth exchange:
- Call the GetOAuthAuthorizationUrl stored procedure. Set the AuthMode input to WEB and set the CallbackURL input to the Redirect URI you specified in your app settings. If necessary, set the Permissions parameter to request custom permissions. The stored procedure returns the URL to the OAuth endpoint.
- Open the URL, log in, and authorize the application. You are redirected back to the callback URL.
- Call the GetOAuthAccessToken stored procedure. Set the AuthMode input to WEB. Set the Verifier input to the "code" parameter in the query string of the callback URL. If necessary, set the Permissions parameter to request custom permissions.
To connect to data, set the OAuthAccessToken connection property to the access token returned by the stored procedure. When the access token expires after ExpiresIn seconds, call GetOAuthAccessToken again to obtain a new access token.
Headless Machines
To create FinancialForce data sources on headless servers or other machines on which the provider cannot open a browser, you need to authenticate from another machine. Authentication is a two-step process.
- Instead of installing the provider on another machine, you can follow the steps below to obtain the OAuthVerifier value. Or, you can install the provider on another machine and transfer the OAuth authentication values, after you authenticate through the usual browser-based flow.
- You can then configure the provider to automatically refresh the access token from the headless machine.
You can follow the headless OAuth authentication flow using the provider's embedded OAuth credentials or using the OAuth credentials for your custom OAuth app.
Using the Credentials for a Custom OAuth App
Create a Custom OAuth App
See Creating a Custom OAuth App for a procedure. This section describes the procedure to authenticate and connect to data.
Obtain a Verifier Code
First, set the following properties on the headless machine:
- InitiateOAuth: Set to OFF.
- OAuthClientId: Set to the App ID in your app settings.
- OAuthClientSecret: Set to the App Secret in your app settings.
Next, authenticate from another machine and obtain the OAuthVerifier connection property:
- Call the GetOAuthAuthorizationUrl stored procedure with the CallbackURL input parameter set to the exact Redirect URI you specified in your app settings.
- Open the returned URL in a browser. Log in and grant permissions to the provider. You are then redirected to the callback URL, which contains the verifier code.
- Save the value of the verifier code. You need to set this in the OAuthVerifier connection property.
Finally, on the headless machine, set the following connection properties to obtain the OAuth authentication values:
- OAuthVerifier: Set to the verifier code.
- OAuthSettingsLocation: Set to persist the encrypted OAuth authentication values to the specified file.
- InitiateOAuth: Set to REFRESH.
Connect to Data
After the OAuth settings file is generated, set the following properties to connect to data:
- OAuthSettingsLocation: Set to the file containing the encrypted OAuth authentication values. Make sure this file gives read and write permissions to the provider to enable the automatic refreshing of the access token.
- InitiateOAuth: Set to REFRESH.
Transfer OAuth Settings
To install the provider on another machine, authenticate, and then transfer the resulting OAuth values:
- On a second machine, install the provider and connect with the following properties set:
- OAuthSettingsLocation: Set to a writable text file.
- InitiateOAuth: Set to GETANDREFRESH.
- OAuthClientId: Set to the Client ID in your app settings.
- OAuthClientSecret: Set to the Client Secret in your app settings.
- CallbackURL: Set to the Callback URL in your app settings.
- Test the connection to authenticate. The resulting authentication values are written, encrypted, to the path specified by OAuthSettingsLocation. Once you have successfully tested the connection, copy the OAuth settings file to your headless machine. On the headless machine, set the following connection properties to connect to data:
- InitiateOAuth: Set to REFRESH.
- OAuthSettingsLocation: Set to the path to your OAuth settings file. Make sure this file gives read and write permissions to the provider to enable the automatic refreshing of the access token.
Creating a Custom OAuth App
If you do not have access to the user name and password or do not wish to require them, you can use OAuth authentication. FinancialForce uses the OAuth authentication standard, which requires the authenticating user to interact with FinancialForce via the browser. The provider facilitates the OAuth exchange in various ways, as described in this section.
Create a Connected App
To obtain the OAuth client credentials, consumer key, and consumer secret:
- Log in to FinancialForce.com.
- From Setup, enter Apps in the Quick Find box and then click the link to create an app. In the Connected Apps section of the resulting page, click New.
- Enter a name to be displayed to users when they log in to grant permissions to your app, along with a contact Email address.
- Click Enable OAuth Settings and enter a value in the Callback URL box. If you are making a desktop application, set the Callback URL to http://localhost:33333 or a different port number of your choice. If you are making a web application, set the Callback URL to a page on your Web app you want the user to be returned to after they have authorized your application.
- Select the scope of permissions that your app should request from the user.
- Click your app name to open a page with information about your app. The OAuth client credentials, the consumer key, and consumer secret are displayed.
Authenticate to FinancialForce from a Desktop Application
After setting the following connection properties, you are ready to connect:
- OAuthClientId: Set to the consumer key in your app settings.
- OAuthClientSecret: Set to the consumer secret in your app settings.
- CallbackURL: Set to the callback URL in your app settings.
- InitiateOAuth: Set to GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken connection property.
When you connect, the provider opens the OAuth endpoint in your default browser. Log in and grant permissions to the application. The provider then completes the following OAuth process:
- Gets the callback URL and sets the access token and OAuthServerUrl to authenticate requests.
- Saves OAuth values in OAuthSettingsLocation to be persisted across connections.
- Exchanges the returned refresh token for a new, valid access token.
Authenticate to FinancialForce from a Web Application
To obtain the access token, set the following connection properties:
- OAuthClientId: Set to the consumer key in your app settings.
- OAuthClientSecret: Set to the consumer secret in your app settings.
- CallbackURL: Set to the callback URL in your app settings.
When connecting via a web application, or if the provider is not authorized to open a browser window, you need to exchange temporary verification values for the access token:
- Call GetOAuthAuthorizationUrl. The stored procedure returns the URL to the OAuth endpoint.
- Log in and authorize the application. You are redirected back to the callback URL. If you set the GrantType parameter to Implicit, the callbackURL contains the OAuthAccessToken and OAuthServerUrl in a query string parameter. If you set the GrantType parameter to code, the callback URL contains the verifier code in the query string parameter named "code". Extract the verifier code and call GetOAuthAccessToken.
To connect to data, set the following connection properties:
- OAuthAccessToken
- OAuthServerUrl
To automatically refresh the access token when it expires, set InitiateOAuth to REFRESH and set OAuthRefreshToken. Alternatively, call the RefreshOAuthAccessToken stored procedure when the access token expires. Given a refresh token as input, the procedure returns a valid OAuth access token.
As an alternative to retrieving the authorization URL and having the user log in to FinancialForce, you can set up a password grant type by calling GetOAuthAccessToken, setting GrantType to PASSWORD. Here, you need to ensure that the user name and password are both set in the connection string, in addition to the client ID and secret of your application. Note that InitiateOAuth must be set to OFF for the password grant type to work. You cannot refresh the token obtained this way. This method has the advantage of removing the login step for users that cannot open a web browser, but it has the disadvantage of the user's credentials being exchanged in plain text between the server and FinancialForce.
Note: You can configure the session timeout in FinancialForce by navigating to Setup > Administration Setup > Security Controls > Session Settings.
Customizing the SSL Configuration
By default, the provider attempts to negotiate SSL/TLS by checking the server's certificate against the system's trusted certificate store. To specify another certificate, see the SSLServerCert property for the available formats to do so.
Connecting Through a Firewall or Proxy
HTTP Proxies
To connect through the Windows system proxy, you do not need to set any additional connection properties. To connect to other proxies, set ProxyAutoDetect to false.
In addition, to authenticate to an HTTP proxy, set ProxyAuthScheme, ProxyUser, and ProxyPassword, in addition to ProxyServer and ProxyPort.
Other Proxies
Set the following properties: Set FirewallType, FirewallServer, and FirewallPort. To tunnel the connection, set FirewallType to TUNNEL. To authenticate specify FirewallUser and FirewallPassword. To authenticate to a SOCKS proxy, additionally set FirewallType to SOCKS5.
Authenticating with SSO
The provider supports SSO authentication through the OneLogin, PingFederate, and OKTA identity providers. All identity providers require the following common connection properties. You can find the values for the following properties in the FinancialForce account settings by navigating to Administration Setup > Security Controls > SAML Single Sign-On and then choosing the desired organization.
- SSOLoginUrl: Set to your SSO endpoint, as shown in the following examples:
- OneLogin:
https://app.onelogin.com/saml/metadata/123455
- PingFederate:
https://myssoendpoint/idp/sts.wst
- OneLogin:
- SSOTokenUrl: Set to your FinancialForce OAuth 2.0 token endpoint for SSO. For example:
https://mysite.salesforce.com/services/oauth2/token?so=1234567
You also need to specify other properties specific to the identity provider in SSOProperties. See SSOProperties in Connection String Options for more details.
Troubleshooting the Connection
To show provider activity from query execution to network traffic, use Logfile and Verbosity. The examples of common connection errors below show how to use these properties to get more context. Contact the support team for help tracing the source of an error or circumventing a performance issue.
- Authentication errors: Typically, recording a Logfile at Verbosity 4 is necessary to get full details on an authentication error.
- Queries time out: A server that takes too long to respond exceeds the provider's client-side timeout. Often, setting the Timeout property to a higher value avoids a connection error. Another option is to disable the timeout by setting the property to 0. Setting Verbosity to 2 shows where the time is being spent.
-
The certificate presented by the server cannot be validated: This error indicates that the provider cannot validate the server's certificate through the chain of trust. If you are using a self-signed certificate, there is only one certificate in the chain. To resolve this error, you must verify that the certificate can be trusted and specify to the provider that you trust the certificate. You can specify that you trust a certificate by adding the certificate to the trusted system store or by setting SSLServerCert.