Search PingOne External Objects in Salesforce Connect (API Server)

The CData API Server enables you to access PingOne data from cloud-based applications like the Salesforce console and mobile applications like the Salesforce1 Mobile App. In this article, you will use the API Server and Salesforce Connect to access PingOne external objects alongside standard Salesforce objects.

Set Up the API Server

If you have not already done so, download the CData API Server. Once you have installed the API Server, follow the steps below to begin producing secure PingOne OData services:

Connect to PingOne

To work with PingOne data from Salesforce Connect, we start by creating and configuring a PingOne connection. Follow the steps below to configure the API Server to connect to PingOne data:

1. First, navigate to the Connections page.
2. Click Add Connection and then search for and select the PingOne connection. 👁 Selecting a data source (SQLite is shown)
   
3. Enter the necessary authentication properties to connect to PingOne.

   To connect to PingOne, configure these properties:

   • : The region where the data for your PingOne organization is being hosted.
   • : The type of authentication to use when connecting to PingOne.
   • Either (required when using the default PingOne domain) or , configured as described below.

   Configuring WorkerAppEnvironmentId

   is the ID of the PingOne environment in which your Worker application resides. This parameter is used only when the environment is using the default PingOne domain (auth.pingone). It is configured after you have created the custom OAuth application you will use to authenticate to PingOne, as described in Creating a Custom OAuth Application in the Help documentation.

   First, find the value for this property:

   1. From the home page of your PingOne organization, move to the navigation sidebar and click Environments.
   2. Find the environment in which you have created your custom OAuth/Worker application (usually Administrators), and click Manage Environment. The environment's home page displays.
   3. In the environment's home page navigation sidebar, click Applications.
   4. Find your OAuth or Worker application details in the list.
   5. Copy the value in the Environment ID field. It should look similar to:
      

      WorkerAppEnvironmentId='11e96fc7-aa4d-4a60-8196-9acf91424eca'

   Now set to the value of the Environment ID field.

   Configuring AuthorizationServerURL

   is the base URL of the PingOne authorization server for the environment where your application is located. This property is only used when you have set up a custom domain for the environment, as described in the PingOne platform API documentation. See Custom Domains.

   Authenticating to PingOne with OAuth

   PingOne supports both OAuth and OAuthClient authentication. In addition to performing the configuration steps described above, there are two more steps to complete to support OAuth or OAuthCliet authentication:

   • Create and configure a custom OAuth application, as described in Creating a Custom OAuth Application in the Help documentation.
   • To ensure that the driver can access the entities in Data Model, confirm that you have configured the correct roles for the admin user/worker application you will be using, as described in Administrator Roles in the Help documentation.
   • Set the appropriate properties for the authscheme and authflow of your choice, as described in the following subsections.

   OAuth (Authorization Code grant)

   Set to OAuth.

   Desktop Applications

   Get and Refresh the OAuth Access Token

   After setting the following, you are ready to connect:

   • : GETANDREFRESH. To avoid the need to repeat the OAuth exchange and manually setting the each time you connect, use .
   • : The Client ID you obtained when you created your custom OAuth application.
   • : The Client Secret you obtained when you created your custom OAuth application.
   • : The redirect URI you defined when you registered your custom OAuth application. For example: https://localhost:3333

   When you connect, the driver opens PingOne's OAuth endpoint in your default browser. Log in and grant permissions to the application. The driver then completes the OAuth process:

   1. The driver obtains an access token from PingOne and uses it to request data.
   2. The OAuth values are saved in the location specified in , to be persisted across connections.

   The driver refreshes the access token automatically when it expires.

   For other OAuth methods, including Web Applications, Headless Machines, or Client Credentials Grant, refer to the Help documentation.

   👁 Connecting to a datasource (SQLite is shown)
   
4. After configuring the connection, click Save & Test to confirm a successful connection.

Configure API Server Users

Next, create a user to access your PingOne data through the API Server. You can add and configure users on the Users page. Follow the steps below to configure and create a user:

1. On the Users page, click Add User to open the Add User dialog.
2. Next, set the Role, Username, and Privileges properties and then click Add User. 👁 Configure a new user
   
3. An Authtoken is then generated for the user. You can find the Authtoken and other information for each user on the Users page: 👁 API Server user settings
   

Creating API Endpoints for PingOne

Having created a user, you are ready to create API endpoints for the PingOne tables:

1. First, navigate to the API page and then click Add Table . 👁 Add tables
   
2. Select the connection you wish to access and click Next. 👁 Select the connection (SQLite is shown)
   
3. With the connection selected, create endpoints by selecting each table and then clicking Confirm. 👁 Adding tables from the connection (SQLite is shown)
   

Gather the OData Url

Having configured a connection to PingOne data, created a user, and added resources to the API Server, you now have an easily accessible REST API based on the OData protocol for those resources. From the API page in API Server, you can view and copy the API Endpoints for the API:

👁 API Endpoints

Connect to PingOne Data as an External Data Source

Follow the steps below to connect to the feed produced by the API Server.

1. Log into Salesforce and click Setup -> Develop -> External Data Sources.
2. Click New External Data Source.
3. Enter values for the following properties:
   • External Data Source: Enter a label to be used in list views and reports.
   • Name: Enter a unique identifier.
   • Type: Select the option "Salesforce Connect: OData 4.0".

   • URL: Enter the URL to the OData endpoint of the API Server. The format of the OData URL is https://your-server:your-port/api.rsc.

     Note that plain-text is suitable for only testing; for production, use TLS.

4. Select JSON in the Format menu.

5. In the Authentication section, set the following properties:
   • Identity Type: If all members of your organization will use the same credentials to access the API Server, select "Named Principal". If the members of your organization will connect with their own credentials, select "Per User".
   • Authentication Protocol: Select Password Authentication to use basic authentication.
   • Certificate: Enter or browse to the certificate to be used to encrypt and authenticate communications from Salesforce to your server.
   • Username: Enter the username for a user known to the API Server.
   • Password: Enter the user's authtoken.

👁 Configuration settings for the data source. (NetSuite is shown.)

Synchronize PingOne Objects

After you have created the external data source, follow the steps below to create PingOne external objects that reflect any changes in the data source. You will synchronize the definitions for the PingOne external objects with the definitions for PingOne tables.

1. Click the link for the external data source you created.
2. Click Validate and Sync.
3. Select the PingOne tables you want to work with as external objects.

👁 Image

Access PingOne Data as Salesforce Objects

After adding PingOne data as an external data source and syncing PingOne tables with PingOne external objects, you can use the external objects just as you would standard Salesforce objects.

• Create a new tab with a filter list view:

  👁 A filtered list view shown on a custom tab. (NetSuite Invoices are shown.)
  

• Display related lists of PingOne external objects alongside standard Salesforce objects:

  👁 A related list that shows an indirect lookup relationship, which links a child external object to a parent standard object. (Salesforce accounts and associated NetSuite invoices are shown.)
  

Troubleshooting

You can use the following checklist to avoid typical connection problems:

• Ensure that your server has a publicly accessible IP address. Related to this check, but one layer up, at the operating system layer, you will also need to ensure that your firewall has an opening for the port the API Server is running on. At the application layer, ensure that you have added trusted IP addresses on the Settings -> Security tab of the administration console.
• Ensure that you are using a connection secured by an SSL certificate from a commercial, trusted CA. Salesforce does not currently accept self-signed certificates or internal CAs.

• Ensure that the server you are hosting the API Server on is using TLS 1.1 or above. If you are using the .NET API Server, you can accomplish this by using the .NET API Server's embedded server.

  If you are using IIS, TLS 1.1 and 1.2 are supported but not enabled by default. To enable these protocols, refer to the how-to on MSDN and the Microsoft technical reference.

  If you are using the Java edition, note that TLS 1.2 is enabled by default in Java 8 but not in Java 6 or 7. If you are using these earlier versions, you can refer to this this Oracle how-to.