Prerequisites

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Configure Network Connectivity

Open outbound TCP port 443 to the Salesforce server.

Create Service Account

For basic authentication and for the initial configuration of the OAuth-based connection, Alation requires a service account with a username and password. You can use an existing user or create a new user for Alation.

To use a new user, log in to Salesforce and create a User ID and Password. Refer to Usernames and Passwords for more information.

The service account user must have enough permissions to extract metadata from the database. See API Permissions below.

API Permissions

Before performing metadata extraction or sampling and profiling, ensure that you enable API permissions for the service account in Salesforce. In Salesforce, go to Setup > Profiles > <your user profile> > Administrative Permissions and select the API Enabled checkbox.

Configure OAuth

Set Up the OAuth App in Salesforce

Before using the OAuth authentication, you must create an OAuth app in Salesforce.

  1. Login to you Salesforce account and go to Apps > App Manager.

  2. Click New Connected App.

  3. In the Basic Information section, provide the required details including Connected App Name, API Name, and Contact Email and click Save.

  4. Once your app is created, open it in the Edit mode and perform the following and click Save:

    1. Select Enable OAuth Settings.

    2. Provide a callback URL in the Callback URL field. For example: https://localhost.

    3. Select Full Access (full) in the Selected OAuth Scopes field.

    4. Select Enable Client Credentials Flow.

  5. Open you app in the Manage mode and click Edit Policies.

    1. Perform the following information in the OAuth Policies section:

      • Select All users may self-authorize from the Permitted Users dropdown.

      • Select Relax IP restriction ** from the **IP Relaxation dropdown.

    2. In the Client Credentials Flow section, search and add the user to whom the API token will be issued in the Run As field.

    3. Click Save.

  6. Open the app in the View mode, and go to API (Enable OAuth Settings)API > Consumer Key and Secret and click Manage Consumer Details.

  7. Copy the Consumer Key and Consumer Secret. Use this to configure OAuth in Alation.

    Note

    Before configuring OAuth in Alation, we recommend validating that the Client ID works with the token endpoint.

Configure OAuth Using Client Credentials Workflow in Alation

To use OAuth authentication, you must configure OAuth using Client Credentials Workflow:

  1. Start the Connector Access Gateway Service. For information, see the Alation: Start the Connector Access Gateway Service section in Configure Authentication via AWS STS and an IAM Role.

  2. In Alation, click the Settings gear icon in the top right corner.

  3. Click Authentication.

  4. Under the Authentication Configuration Methods for External Systems section, select OAuth from the Add configuration dropdown.

  5. Configure an OAuth profile with Config name, Client Id, and Client Secret. For more information, see the OAuth section in the Authentication Configuration Methods for External Systems.

    Under Client credentials dropdown, select GrantType. For information on the supported formats for Token Endpoint URL, see Configure a Salesforce Authentication Provider .

    Note

    Leave the Authorize Endpoint URL, User Info Endpoint URL, and the Redirect URL fields blank.

  6. Click Save.