# AQUILA - Salesforce Integration via JWT Authentication

#### <span style="color: rgb(53, 152, 219);">**Overview**</span>

With the OAuth 2.0 JWT bearer token flow, the client posts a JWT to the Salesforce OAuth token endpoint. Salesforce processes the JWT, which includes a digital signature, and issues an access token based on prior approval of the app.

##### <span style="color: rgb(53, 152, 219);">**Check "View Event Log Files" Permission**</span>

1. Check Your Org's Event Monitoring License: 
    - Go to **Setup** &gt; **Quick Find** &gt; **Installed Packages** or **Company Information** (under **Quick Find** &gt; **Company Settings**).

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/U4TmmE3cQ8FkSVMy-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/U4TmmE3cQ8FkSVMy-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/LIihGVNMxVgle7HR-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/LIihGVNMxVgle7HR-image.png)

- Look for **Event Log File Browser** or **Event Monitoring** and enable it if it shows an option to do so.

2\. Enable **Event Monitoring** Features:

- **Setup** &gt; **Quick Find** &gt; **Event Monitoring Settings** (or search "**Event Log File Browser**").
- If the page loads: Check Enable **Event Log File Browser** &gt; **Save**.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/8BOA33WA4VWtnQti-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/8BOA33WA4VWtnQti-image.png)

##### <span style="color: rgb(53, 152, 219);">**Clone and Modify the Profile**</span>

1. **Log in to Salesforce Setup:**
    
    
    - Go to **Setup** (gear icon &gt; Setup) as an admin.
2. **Clone the Standard User Profile:**
    
    
    - Navigate to **Setup** &gt; **Quick Find** &gt; **Profiles**.
    - Find **Standard User** &gt; Click **Clone** next to it.
    - **Profile Information**:
        
        
        - **Profile Name**: e.g., "Standard User - Log Integration".
        - **Description**: "Cloned for Elastic log integration with API and ELF access."
        - **User License:** Salesforce Integration
    - **Save.** This creates a new custom profile based on Standard User.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/qiDAHpYFkEPgiEkp-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/qiDAHpYFkEPgiEkp-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/4Ef32pDrHX40ujej-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/4Ef32pDrHX40ujej-image.png)

3\. **Edit System Permissions in the Cloned Profile:**

- In **Profiles**, find your new cloned profile &gt; Click **Edit** &gt; Go to the **System Permissions** section (or use Quick Find for "System Permissions").
- Enable the following checkboxes (these are the key changes from Standard User, which starts with them **disabled** for security):

<table border="1" id="bkmrk-permission-change-fr" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 18.7128%;"></col><col style="width: 24.6802%;"></col><col style="width: 31.6965%;"></col><col style="width: 25.0298%;"></col></colgroup><tbody><tr><td>**Permission**

</td><td>**Change from Standard User**

</td><td>**Why Enable It?**

</td><td>**How to Enable**

</td></tr><tr><td>**API Enabled**

</td><td>Disabled → **Enabled**

</td><td>Allows REST/SOAP API calls for fetching logs (e.g., EventLogFile queries). Essential for Elastic integration.

</td><td>Check the box under **System Permissions**.

</td></tr><tr><td>**View Event Log Files**

</td><td>Disabled → **Enabled**

</td><td>Grants read access to historical Event Log Files (ELF) like logins and Apex events. Core for log ingestion.

</td><td>Check the box under **System Permissions**.

</td></tr><tr><td>**View All Data**

</td><td>Disabled → **Enabled**

</td><td>Provides broader object read access if ELF queries fail due to restrictions.

</td><td>Check the box under **System Permissions.**

</td></tr></tbody></table>

- **Do NOT enable** unrelated permissions like "Modify All Data" or "Delete All Data" to maintain least-privilege.
- **Save** the profile.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/GBJfyTQF4sZQAPad-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/GBJfyTQF4sZQAPad-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/ojzUxOjf1O1lPgkG-image.png) ](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/ojzUxOjf1O1lPgkG-image.png)[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/5vtL2PVBfnF5cQzo-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/5vtL2PVBfnF5cQzo-image.png)

4\. **Assign the Cloned Profile to Your Integration User:**

- **Setup** &gt; **Quick Find** &gt; **Users** &gt; Select your integration user &gt; **Edit**.
- **Profile**: Select "Standard User - Log Integration".
- **Save**.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/qhkItD6XiK1CFQhp-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/qhkItD6XiK1CFQhp-image.png)

5\. **Handle Event Monitoring Permissions (Not in Profile—Use Permission Set)**:

- The "View Real-Time Event Monitoring Data" isn't a direct profile permission; it's tied to Event Manager.
- **Create a Permission Set**:
    
    
    - Go to **Setup** &gt; **Quick Find** &gt; **Permission Sets** &gt; **New**.
    - **Label/Name**: e.g., "Event Monitoring Access".
    - **License**: "Salesforce Integration" (matches Standard User).
    - **Save** &gt; **System Permissions** tab &gt; **Enable View All Data, API Enabled** and **View Event Log Files**.
    - **Event Log File Browser** tab: Enable access to specific events.
- **Assign the Permission Set**:
    
    
    - **Permission Set Assignments** &gt; **New** &gt; Select your integration user &gt; **Assign**.
- **Enable Events in Event Manager**:
    
    
    - **Setup** &gt; **Quick Find** &gt; **Event Manager**.
    - For desired events (e.g., Login Event), click dropdown &gt; **Enable Storage**. This requires the Event Log File Browser add-on license.
    - This starts log retention (up to 1 year for ELF; real-time requires add-on license).

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/LXDTLpk0pyGbbY3s-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/LXDTLpk0pyGbbY3s-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/D8Y4bOlMcDszmNK7-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/D8Y4bOlMcDszmNK7-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/UYgRTF1B9eBBHcJM-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/UYgRTF1B9eBBHcJM-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/mZK9M3XpWzK5wY7H-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/mZK9M3XpWzK5wY7H-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/46QNcp9BP7XGJpKv-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/46QNcp9BP7XGJpKv-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/mKejjzBlT8OlcNnT-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/mKejjzBlT8OlcNnT-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/Xa5mknGrKzfF3qBh-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/Xa5mknGrKzfF3qBh-image.png)


[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/86ImA5HtfQ5IoowY-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/86ImA5HtfQ5IoowY-image.png)

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/scaled-1680-/7tlqTYV46fCHPntx-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/7tlqTYV46fCHPntx-image.png)

##### <span style="color: rgb(53, 152, 219);">**Client Key and Certification Signature Configuration**</span>

To use this integration, you need to create a new Salesforce Application using OAuth. Follow these steps to create a connected application in Salesforce:

- Log in to **Salesforce** with the user credentials you want to collect data with.
- Click **Setup** in the top right menu bar.

 ![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-08/scaled-1680-/QoIVW5iX5eqeV9Z0-image.png)

- In the **Quick Find textbox**, search for **App Manager** or you can scroll down to **PLATFORM TOOLS** and select **App Manager.**

 ![Salesforce1.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-08/scaled-1680-/JRiRcKa9Gz5lC8Wd-salesforce1.png)

- In the upper right corner, choose the **New External Client App.**

 ![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-08/scaled-1680-/1Ywn6j28Wr32yheg-image.png)

- Provide a name for the connected application. This name will be displayed in the App Manager and on its App Launcher tile.
- Enter the API name. The default is a version of the name without spaces. Only letters, numbers, and underscores are allowed. If the original app name contains any other characters, edit the default name.
- Enter the **email address** of the **new account** you created earlier.

![Salesforce2.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-08/scaled-1680-/kAlzKr6Cx5cE3XYl-salesforce2.png)

- Under the **API (Enable OAuth Settings)** section, check the box for **Enable OAuth Settings**.
- In the **Callback URL** field, enter the instance URL as specified in **Salesforce instance URL.** Example URL: https://na9.salesforce.com
- Select the following OAuth scopes to apply to the connected app:
    
    
    - **Manage user data via APIs (api)**
    - **Perform requests at any time (refresh\_token, offline\_access)**
    - (Optional) If you encounter any permission issues during data collection, add the **Full access (full)** scope.

![Salesforce3.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-08/scaled-1680-/CI9AMM1P66ijSHa9-salesforce3.png)

- Select **Require Secret for the Web Server Flow** to require the app's client secret in exchange for an access token.
- Select **Require Secret for Refresh Token Flow** to require the app's client secret in the authorization request of a refresh token and hybrid refresh token flow.

 ![Salesforce4.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-08/scaled-1680-/U3sH6qYPGs9nKXJS-salesforce4.png)

- Then scroll up above the **Callback URL** on the **App Settings** you will see the **Consumer Key and Secret** button, click it.

 ![Salesforce7.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-08/scaled-1680-/6phcALMosjc4PtNu-salesforce7.png)

- It will create another tab. Verify the user account by entering the Verification Code.

 ![Salesforce5.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-08/scaled-1680-/5CUisvcTjiFDwwdG-salesforce5.png)

- Copy the `Consumer Key` and `Consumer Secret` from the Consumer Details section. These values should be used as the **Client ID** and **Client Secret**, respectively, in the integration.

![Salesforce6.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-08/scaled-1680-/F9X2W6zDwOupc1Nm-salesforce6.png)

- Close that tab and go back to the **External Client App Manager**. Click **Save**.

##### **Required fields for JWT Authentication Integration:**

- ##### JWT Authentication Audience URL
- ##### JWT Authentication Client Key Path
- ##### Username
- ##### Client ID
- ##### Instance URL
- ##### Token URL

##### Provide this required fields to **CyTech Support**.

Reference Link:

[OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration in Salesforce](https://www.youtube.com/watch?v=AEcQIXvV_I8)

*If you need further assistance, kindly contact our support at **support@cytechint.com** for prompt assistance and guidance.*
Permission	Change from Standard User	Why Enable It?	How to Enable
API Enabled	Disabled → Enabled	Allows REST/SOAP API calls for fetching logs (e.g., EventLogFile queries). Essential for Elastic integration.	Check the box under System Permissions.
View Event Log Files	Disabled → Enabled	Grants read access to historical Event Log Files (ELF) like logins and Apex events. Core for log ingestion.	Check the box under System Permissions.
View All Data	Disabled → Enabled	Provides broader object read access if ELF queries fail due to restrictions.	Check the box under System Permissions.