Salesforce initial setup
For initial load, see Salesforce Reader initial setup.
For continuous real-time replication, see Salesforce CDC Reader initial setup.
For continuous incremental replication, see Salesforce Reader initial setup.
The following discussions of networking and security apply to both initial load and either approach to continuous replication.
Networking setup
You need to establish proper network connectivity between your Striim environment and Salesforce. This involves configuring network access, firewall rules, and connection parameters to ensure reliable communication.
Ensure that the Striim server can connect to your Salesforce instance on the correct port (typically 443).
Also consider network latency and bandwidth requirements, especially for high-volume CDC scenarios. For optimal performance, minimize the network latency between Striim and Salesforce.
Security
Security configuration for Salesforce integration involves multiple layers, including authentication, authorization, network security, and data protection measures.
You must implement proper authentication mechanisms between Striim and Salesforce. This includes creating dedicated database users with minimal required privileges following the principle of least privilege. You should avoid using administrative accounts and instead create specific users for Striim operations with only the necessary permissions for the tables and operations required.
You should implement access control at multiple levels, including database-level permissions, schema-level access controls, and table-level privileges. You should regularly review and audit the permissions granted to Striim users and implement proper password policies and rotation procedures for service accounts.
API Access Control requirements
If the Striim OAuth app is not installed in your Salesforce environment, users must have the Use Any API Client permission enabled in Salesforce's API Access Control settings to authorize the connection. Without this permission, OAuth authentication fails.
To enable this permission:
In Salesforce Setup, navigate to Users > Permission Sets or Profiles.
Select the permission set or profile assigned to the user connecting from Striim.
Enable the Use Any API Client permission under Administrative Permissions.
For more information, see API Access Control in the Salesforce documentation.
Supported authentication methods
The following table summarizes the authentication methods supported by the Salesforce Reader, Salesforce CDC Reader, and Salesforce Writer.
Authentication method | Striim support | Integration User | Recommendation |
|---|---|---|---|
OAuth - Authorization Code | Connection Profile only | Supported | Default when using Connection Profiles (browser login). |
OAuth - Refresh Token | Both (managed automatically after login) | Supported | Managed automatically after login. |
OAuth - JWT Bearer | Without Connection Profile only | Recommended | Best option for headless and server-to-server integrations. |
OAuth - Username-Password | Not supported | Indirect | Discouraged by Salesforce. |
OAuth - User-Agent (Implicit) | Not supported | Not supported | Not applicable for backend integrations. |
OAuth - Device Flow | Not supported | Not supported | Not applicable. |
Username + Password + Security Token | Without Connection Profile only | Indirect | Legacy fallback option. |
Session ID reuse | Indirect (without Connection Profile only) | Not supported | Not recommended. |
SAML Assertion Flow | Not supported | Indirect | Requires exchange to OAuth. Not directly supported. |
For more information about Integration Users, see Integration User in the Salesforce documentation.