You can modify settings and permissions for a connected app. For example, you can change the session-level policy and basic information for all connected apps. And you can change OAuth policies for OAuth-enabled connected apps.
Available in: both Salesforce Classic and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions
Connected Apps can be installed in: All Editions
User Permissions Needed
To create, update, or delete:
“Customize Application” AND either
“Modify All Data” OR “Manage Connected Apps”
To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes:
To update Profiles, Permission Sets, and Service Provider SAML Attributes:
“Customize Application” AND “Modify All Data”
“Download AppExchange Packages”
You can modify settings and permissions for a connected app.
From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
Click Edit next to the name of the app that you want to modify. To review information about an app on the connected app detail page, click the app name.
The following OAuth policies are available for every OAuth-enabled connected app.
Permitted Users determines who can run the app.
All Users may self-authorize: Default. Anyone in the org can self-authorize the app. This setting means that each user must approve the app the first time they access it.
Admin-approved users are pre-authorized: Access is limited to those users with the appropriate profile or permission set. But these users don’t have to approve the app before they can access it. In Group Edition, no users can access the app with this setting. Manage profiles for the app by editing each profile’s Connected App Access list (except in Group Edition). Manage permission sets for the app by editing each permission set’s Assigned Connected Apps list.
If you switch from All Users may self-authorize to Admin-approved users are pre-authorized, anyone using the app loses access, unless the user belongs to a permission set or profile that you have specified for the app.
If the user’s profile or permission set has the “Use Any API Client” user permission enabled, the Admin-approved users are pre-authorized policy can be bypassed. This user permission is available only if the “Admin Approved apps only” org permission is enabled. The “Use Any API Client” user permission allows a non-admin-approved user to access and run the app, even if the connected app’s settings require admin-approved users and the “Admin Approved apps only” org permission is enabled. This permission scheme allows specific users, such as short-term contractors, to access a connected app temporarily.
IP Relaxation refers to the IP restrictions that the users of the connected app are subject to. IP ranges work with OAuth-enabled connected apps, not SAML-enabled connected apps. A Salesforceadmin can choose to either enforce or bypass these restrictions by choosing one of the following options.
Enforce IP restrictions: Default. A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile.
Relax IP restrictions with second factor: A user running this app bypasses the org’s IP restrictions when either of these conditions are true:
The app has IP ranges whitelisted and is using the Web server OAuth authentication flow. Only requests coming from the whitelisted IPs are allowed.
The app has no IP range whitelist, is using the Web server or user-agent OAuth authentication flow, and the user successfully completes Identity Confirmation.
Relax IP restrictions: A user running this connected app is not subject to any IP restrictions.
Refresh Token Policy specifies how long the refresh token is valid. Refresh tokens are used by the OAuth-enabled connected app to obtain new sessions without requiring the user to provide their credentials. The connected app simply exchanges the refresh token for a new session. Using refresh token policies, Salesforce admins control how long a refresh token is used. Options include the following.
Refresh token is valid until revoked. This setting is the default behavior. The refresh token is used indefinitely, unless revoked by the user or Salesforce admin. You revoke tokens in a user’s detail page under OAuth Connected Apps or in the OAuth Connected Apps Usage report.
Immediately expire refresh token. This setting specifies that the token is invalid immediately. The user can use the current session (access token) already issued, but can’t use the refresh token to obtain a new session.
Expire refresh token if not used for n. This setting invalidates the token if it isn’t used for the amount of time specified. For example, if set to 7 days, and the refresh token isn’t exchanged for a new session within 7 days, the next attempt to use the token fails. The expired token can’t generate new sessions. If the refresh token is exchanged within 7 days, the token is valid for another 7 days. Also, monitoring the period of inactivity resets.
Expire refresh token after n. This setting invalidates the refresh token after a fixed amount of time. For example, if the policy states 1 day, the refresh token can be used to obtain new sessions only for 24 hours.
You can control how long a user’s session lasts by setting the timeout value for the connected app, user profile, or org’s session settings (in that order). The Refresh Token Policy is evaluated only during usage of the issued refresh token and doesn’t affect a user’s current session. Refresh tokens are required only when a user’s session has expired or isn’t available. For example, if you set a Refresh Token Policy to Expire refresh token after 1 hour, and the user uses the app for 2 hours, the user isn’t forced to authenticate after 1 hour. The user is required to authenticate again when the session expires and the client attempts to exchange its refresh tokens for a new session.
Timeout Value is available only for OAuth-enabled connected apps. This value sets the expiration of the access tokens for the connected app's session. If you don’t set a value or None is selected (the default), Salesforce uses the Timeout Value in the user’s profile. If the profile doesn’t specify a timeout value, Salesforce uses the timeout value in the org’s Session Settings.
The current permissions for the connected app are also listed in the org’s Session Settings.
If your connected app is a canvas app that uses signed request authentication, be sure to:
Set Permitted Users to Admin-approved users are pre-authorized.
Set Expire Refresh Tokens to The first time they use this application.
Give users access via profiles and permission sets.
Session Level Policy is available for all connected apps. Select High Assurance session required to require users to enter a time-based token when trying to log in to access the app.
Basic Information is available for all connected apps. However, if your app is a canvas app, these field values are ignored. Instead, it uses the canvas app URL that was specified when the connected app was created.
Start URL is used if the connected app uses single sign-on. In this case, set the URL to the page where the user starts the authentication process. This location also appears in the app menu.
Mobile Start URL is used to direct users to a specific location when the app is accessed from a mobile device.
Mobile App settings are available for mobile connected apps that enforce PIN protection.
Require PIN after specifies how much time can pass while the app is idle before the app locks itself and requires the PIN before continuing. Allowable values are none (no locking), 1, 5, 10, and 30 minutes. This policy is only enforced if a corresponding Pin Length is configured. Enforcement of the policy is the responsibility of the connected app. Apps written using the Salesforce Mobile SDK can enforce this policy, or the app can read the policy from the UserInfo service and enforce the policy.
This setting doesn’t invalidate a user’s session. When the session expires due to inactivity, this policy only requires that the user enter a PIN to continue using the current session.
Pin Length sets the length of the identification number sent for authentication confirmation. The length can be from 4 to 8 digits, inclusive.
Custom attributes are available for all connected apps. Developers can set custom SAML metadata or custom OAuth attributes for a connected app. Salesforce admins can delete or edit the attributes or add custom attributes. Attributes deleted, edited, or added by admins override attributes set by developers. For more information, see Edit, Package, or Delete a Connected App.
Custom Connected App Handler
Customize the behavior of a connected app with Apex. Create a class that extends the ConnectedAppPlugin
Apex class, and associate it with a connected app. The class can support new authentication protocols or respond to user attributes in a way that benefits a business process.
The plug-in runs on behalf of a user account. In the Run As field, select the user for the plug-in. If the user isn’t authorized for the connected app, use the authorize method to do so. For more information, see the ConnectedAppPlugin class in the Apex Code Developer's Guide.