Newer Version Available

This content describes an older version of this product. View Latest

Edit a Connected App

Available in: both Salesforce Classic and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions


User Permissions Needed
To read: “Customize Application”
To create, update, or delete: “Customize Application” AND either

“Modify All Data” OR “Manage Connected Apps”

To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: “Customize Application”
To update Profiles, Permission Sets, and Service Provider SAML Attributes: “Customize Application” AND “Modify All Data”
To uninstall: “Download AppExchange Packages”

You can modify settings and permissions for a connected app.

  1. From Setup, enter Connected Apps in the Quick Find box, then select the option for managing connected apps.
  2. Click Edit next to the name of the app you want to modify. (To review information about an app on the connected app Detail page, click the app name.)
  • The following OAuth policies are available for every OAuth-enabled connected app.
    • Permitted Users determines who can run the app.
      • All Users may self-authorize: Default. Anyone in the organization can self-authorize the app. This setting means that each user has to approve the app the first time they access it.
      • Admin-approved users are pre-authorized: Access is limited to those users with a profile or permission set specified, but these users don’t need to approve the app before they can access it. In Group Edition, this setting prevents access to the app for all users. Manage profiles for the app by editing each profile’s Connected App Access list (except in Group Edition). Manage permission sets for the app by editing each permission set’s Assigned Connected Apps list.

      If you switch from All Users may self-authorize to Admin-approved users are pre-authorized, anyone currently using the app loses access, unless the user belongs to a permission set or profile that you have specified for the app.

      Warning

      If the user’s profile or permission set has the “Use Any API Client” user permission enabled, the Admin-approved users are pre-authorized policy can be bypassed. This user permission is available only if the “Admin Approved apps only” organization permission is enabled. The “Use Any API Client” user permission allows a non-Admin-approved user to access and run the app, even if the connected app’s settings require Admin-approved users and the “Admin Approved apps only” organization permission is enabled. This permission scheme allows specific users, such as short-term contractors, to access a connected app temporarily.

      Note

    • IP Relaxation refers to the IP restrictions that the users of the connected app are subject to. IP ranges work with OAuth-enabled connected apps, not SAML-enabled connected apps. An administrator can choose to either enforce or bypass these restrictions by choosing one of the following options.
      • Enforce IP restrictions: Default. A user running this app is subject to the organization’s IP restrictions, such as IP ranges set in the user’s profile.
      • Relax IP restrictions with second factor: A user running this app bypasses the organization’s IP restrictions when either of these conditions are true:
        • The app has IP ranges whitelisted and is using the Web server OAuth authentication flow. Only requests coming from the whitelisted IPs are allowed.
        • The app has no IP range whitelist, is using the Web server or user-agent OAuth authentication flow, and the user successfully completes Identity Confirmation.
      • Relax IP restrictions: A user running this connected app is not subject to any IP restrictions.

      If the Enforce login IP ranges on every request Session Settings option is enabled, it affects the IP relaxation behavior. For more information, see Connected App IP Relaxation and Continuous IP Enforcement.

      Note

    • Refresh Token Policy specifies the validity period for a refresh token. Refresh tokens are used by the OAuth-enabled connected app to obtain new sessions without requiring the user to provide their credentials. The connected app simply exchanges the refresh token for a new session. Using refresh token policies, administrators control how long a refresh token is used. Options include the following.
      • Refresh token is valid until revoked. This setting is the default behavior. It specifies that the token is used indefinitely, unless revoked by the user or administrator. Revoke tokens in a user’s detail page under OAuth Connected Apps or in the OAuth Connected Apps Usage report.
      • Immediately expire refresh token. This setting specifies that the token is immediately invalid. The user can use the current session (access token) already issued, but cannot use the refresh token to obtain a new session.
      • Expire refresh token if not used for n. This setting invalidates the token if it is not used for the amount of time specified. For example, if the field value states 7 days, and the refresh token is not exchanged for a new session within seven days, the next attempt to use the token fails. The token expired and can no longer generate new sessions. If the refresh token is successfully used before 7 days, monitoring the period of inactivity resets, and the token is valid for another 7 days.
      • Expire refresh token after n. This setting invalidates the refresh token after a fixed amount of time. For example, if the policy states 1 day, the refresh token can be used to obtain new sessions for 24 hours. After 24 hours, the token can’t be used.

      A user’s session can be maintained by usage. Its validity period is defined by the Timeout Value for the connected app, user profile, or organization’s session settings (in that order). The Refresh Token Policy is evaluated only during usage of the issued refresh token and does not affect a user’s current session. Refresh tokens are required only when a user’s session has expired or is no longer available. For example, if you set a Refresh Token Policy to Expire refresh token after 1 hour, and the user uses the application for 2 hours, the user isn’t forced to authenticate after 1 hour. The user is required to re-authenticate when the session expires and the client attempts to exchange its refresh tokens for a new session.

    • Timeout Value is available for OAuth-enabled connected apps, only. This value sets the expiration of the access tokens for the connected app's session. If you don’t set a value or None is selected (the default), Salesforce uses the Timeout Value in the user’s profile. If the profile has no value set, Salesforce uses the Timeout Value in the organization’s Session Settings.
    • The current permissions for the connected app are also listed here.
    If your connected app is a canvas app that uses signed request authentication, be sure to:
    • Set Permitted Users to Admin-approved users are pre-authorized.
    • Set Expire Refresh Tokens to The first time they use this application.
    • Give users access via profiles and permission sets.
  • Session Level Policy is available for all connected apps. Select High Assurance session required to require users to enter a time-based token during login to access the app.
  • Basic Information is available for all connected apps. However, if your app is a canvas app, these field values aren’t used. Instead, the canvas app URL that was specified when the connected app was created is used.
    • Start URL is used if the connected app uses single sign-on. In this case, set the URL to the page where the user starts the authentication process. This location also appears in the application switcher menu.
    • Mobile Start URL is used to direct users to a specific location when the app is accessed from a mobile device.
  • Mobile App settings are available for mobile connected apps that enforce pin protection.
    • Require PIN after specifies how much time can pass while the app is idle before the app locks itself and requires the PIN before continuing. Allowable values are none (no locking), 1, 5, 10, and 30 minutes. This policy is only enforced if a corresponding Pin Length is configured. Enforcement of the policy is the responsibility of the connected app. Apps written using the Salesforce Mobile SDK can enforce this policy, or the app can read the policy from the UserInfo service and enforce the policy.

      This setting does not invalidate a user’s session. When the session expires due to inactivity, this policy only requires that the user enter a PIN to continue using the current session.

      Note

    • Pin Length sets the length of the identification number sent for authentication confirmation. The length can be from 4 to 8 digits, inclusive.
  • Custom Attributes are available for all connected apps. Developers can set custom SAML metadata or custom OAuth attributes for a connected app. Administrators can delete or edit those attributes or add custom attributes. Attributes deleted, edited, or added by administrators override attributes set by developers. For more information, see Edit, Package, or Delete a Connected App.

Custom Connected App Handler

Customize the behavior of a connected app with Apex. Create a class that extends the ConnectedAppPlugin Apex class, and associate it with a connected app. The class can support new authentication protocols or respond to user attributes in a way that benefits a business process.

The plugin runs on behalf of a user account. In the Run As field, select the user for the plugin. If the user isn’t authorized for the connected app, use the authorize method to do so. For more information, see the ConnectedAppPlugin class in the Force.com Apex Code Developer's Guide.