IIQ customers can learn more by reading: Action Required: IIQ Salesforce Connector Migration to External Client App
Overview
To enhance security and align with the latest best practices, SailPoint is updating the authentication method for the Salesforce connector.
The connector will transition from the current Salesforce Connected App to a new Salesforce External Client App (ECA). This update uses the more secure OAuth 2.0 Authorization Code Grant flow for Salesforce Web Service APIs.
Once the update is released, customers will need to install the new SailPoint External Client App from the Salesforce AppExchange into their Salesforce organization to ensure continued functionality.
We are currently working with Salesforce to make the app available and will announce when it is ready. This advance notice is to help your team plan for this upcoming change. For any questions, please contact your SailPoint Product Manager or Customer Success representative.
What Is Changing?
The External Client App is Salesforce’s next-generation framework for managing API access. It provides granular OAuth policy controls and represents Salesforce’s strategic direction for external integrations.
| Area | Current | Upcoming |
|---|---|---|
| Auth Framework | Salesforce Connected App | Salesforce External Client App (ECA) |
| OAuth Flow | Various (e.g., Client Credentials, others) | OAuth 2.0 Authorization Code Grant |
Who Is Impacted?
Customers using the Salesforce connector on Identity Security Cloud (ISC) will need to install the SailPoint-published ECA package from AppExchange (when available) and update connector configuration to use Authorization Code Grant.
Why Is This Change Being Made?
- Salesforce is evolving its integration platform, and ECA is the modern successor to Connected Apps for external integrations.
- The OAuth 2.0 Authorization Code Grant flow provides a more secure, standards-based mechanism for user-consented API access.
- This ensures the SailPoint Salesforce connector aligns with Salesforce’s present and future platform direction.
Deprecation Timeline & What to Expect
Important: After the ECA package is listed on Salesforce AppExchange, SailPoint will issue an official announcement and deprecation notice for Connected App-based authentication.
Upon that announcement, ISC customers will have 90 days to migrate to ECA-based authentication.
| Milestone | Detail |
|---|---|
| ECA AppExchange listing available | SailPoint publishes announcement and deprecation notice |
| 90-day migration window opens | Customers install the ECA package and reconfigure the connector |
| End of 90-day window | Connected App-based authentication is fully deprecated |
| Post-deprecation | Continued use of Connected App authentication results in connector errors and loss of Salesforce connectivity |
Note: Failure to migrate within the 90-day window may cause provisioning, aggregation, and other connector operations to fail due to lost connectivity.
What Does This Mean for ISC Customers?
No immediate action is required. This advance notice is provided to help you:
-
Understand the authentication model change and deprecation timeline.
-
Start internal discussions with Salesforce admins regarding ECA setup and AppExchange installation readiness.
-
Engage your SailPoint Product Manager to understand release timing and required connector configuration updates.
What Should I Do Now?
-
Review this article and share with your Salesforce admin and identity team.
-
Monitor for the AppExchange listing and SailPoint announcement this starts the 90‑day migration period.
-
Familiarize your team with Salesforce External Client Apps and the OAuth 2.0 Authorization Code Grant flow.
-
Plan your migration—begin change management, testing, and approvals so you can act promptly when the window opens.
-
Contact your SailPoint PM or Customer Success Manager for timelines, impact assessment, or migration planning support.