Connected App Use Cases

Access Data with API Integration

You can use a connected app to request access to Salesforce data on behalf of an external application. For a connected app to request access, it must be integrated with the Salesforce API using the OAuth 2.0 protocol. OAuth 2.0 is an open protocol that authorizes secure data sharing between applications through the exchange of tokens. Developers and independent software vendors (ISVs) use OAuth authorization flows to integrate their app with the Salesforce API. These authorization flows enable a user to work in one app but see the data from another.

For more information about configuring a connected app for API integration, see Enable OAuth Settings for API Integration.

Integrate Service Providers with Your Salesforce Org

When Salesforce acts as your identity provider, you can use a connected app to integrate your service provider with your Salesforce org. Use one of these methods to configure a connected app for a service provider.

You can use a connected app with SAML 2.0 to integrate a service provider with your Salesforce org. Salesforce supports SAML single sign-on (SSO) when the service provider or the identity provider initiates the flow.

For example, you build a custom Your Benefits web app that implements SAML 2.0 for user authentication. You want your users to be able to log in to this app with their Salesforce credentials. To set up this SSO flow, configure the Your Benefits web app as a connected app. Define your Salesforce org as the SAML identity provider for the connected app. Your users can now log in to the Your Benefits web app with their Salesforce credentials.

For more information about configuring a connected app for SAML SSO, see Integrate Service Providers as Connected Apps with SAML 2.0.

You can also use a connected app with OpenID Connect to integrate a service provider with your Salesforce org. To use this option, the service provider must accept OpenID Connect tokens.

For example, you want your users to sign on directly from your Salesforce org to an external Wellness Tracker app that accepts OpenID Connect. So you create a connected app for the Wellness Tracker app. For the connected app, you enable OAuth settings, select the “Allow access to your unique identifier (openid)” scope, and configure an ID token. This configuration enables the SSO flow for your Wellness Tracker app by integrating the service provider with your Salesforce org.

For more information about configuring a connected app for OpenID Connect SSO, see Integrate Service Providers as Connected Apps with OpenID Connect.

Manage Access to Third-Party Apps

Admins can set security policies to control what data a third-party app can access from your org. Admins can also define who can use the third-party app.

For example, you install a third-party app that allows your org’s users to make travel reservations. By selecting the option “Admin approved users are pre-authorized” for the connected app, you can assign specific user profiles to the app. Only the users with this user profile can access the app. You can also set a refresh token policy to revoke the travel reservation app’s access to your Salesforce data after a set amount of time.

In addition to setting security policies to manage third-party apps, you can uninstall, and—when necessary—block these apps from the Salesforce org.

For more information about managing connected apps, see Manage Access to a Connected App.

Provide Authorization for External API Gateways

Salesforce can act as an independent OAuth authorization server to protect resources hosted on an external API gateway. Using OpenID Connect dynamic client registration, resource servers can dynamically create client apps as connected apps in Salesforce. Salesforce can then authorize these connected apps to access protected resources hosted by the third-party service.

For example, Salesforce can act as the OAuth authorization server for API gateways that are hosted on MuleSoft's Anypoint Platform. MuleSoft’s Anypoint Platform, which is the resource server, can dynamically create client apps as connected apps. These connected apps can send a request to Salesforce asking for access to data protected by the API gateways. Salesforce can then authorize the connected apps, granting them access to the data protected by the API gateways.

For more information about OpenID Connect dynamic client registration, see OpenID Connect Dynamic Client Registration for External API Gateways.

Your Part in Creating and Managing Connected Apps

It’s important to understand how you can work with a connected app.

• Connected app developer—As a Salesforce developer or ISV, you build API integrations or external apps that can access Salesforce data as a connected app. As a developer, you can build a connected app for your org, but other Salesforce orgs can install it for use, too.
• Connected app admin—As a Salesforce admin, you install, uninstall, and—when necessary—block connected apps from the Salesforce org. As an admin, you also configure permissions and policies for the apps, explicitly defining who can use the connected apps and where they can access the apps from. These permissions and policies, which include profiles, permission sets, IP range restrictions, and multi-factor authentication (MFA), provide extra security for your org.

In addition, make sure that you understand whether your org is the connected app’s owner or consumer.

• Connected App Owner—As a connected app owner, your Salesforce org built the app. You can edit the app’s characteristics and manage its access policies. For example, you decide the type of information (such as a client secret) that the connected app must provide to gain access to data in your Salesforce org.
• Connected App Consumer—As a connected app consumer, your org installed the app from the AppExchange Marketplace or as a managed package from a third-party vendor’s website. You can only edit the app’s access policies, such as determining who can use the app and whether the app can access data from a remote location.