Salesforce Tools and Extension Tools setup

Use Salesforce tools to let Glean Assistant and Agents search and update Salesforce data without leaving Glean.

With this setup, you can:

• Enable the Salesforce Tools or Salesforce Extension Tools for a connector instance.
• Configure the supported authentication method for the tool you are using.
• Decide which agents and surfaces can use these tools.

important

Ensure that your Salesforce user permissions grant appropriate API access for the tools you intend to expose to Glean users. Glean tools strictly respect native Salesforce ACLs and data sharing rules.

Prerequisites

Before enabling Salesforce tools:

• The Salesforce connector must be configured and successfully crawling content.
• You must be able to access the Glean Admin Console.

note

You do not need to create a Salesforce connected app if you use Central authentication. A Salesforce connected app is required only when you set up the Salesforce Extension Tools with Custom authentication.

Setup instructions

1. In Glean, go to Admin Console → Platform → Tools.
2. Click Add.
3. From Add pre‑set tools, select the Salesforce tool you want to configure under Tool templates.
4. In the Configuration tab:
   1. Add the Instance Name.
   2. Select the connected Connector Instance to link this tool to your Salesforce instance.
   3. Configure authentication using the tabs below, based on your requirements.

Configure authentication

Your authentication options depend on which tool you select:

• Salesforce Tools: Supports Central authentication only.
• Salesforce Extension Tools: Supports both Central and Custom authentication.

Central authentication (Recommended)

Use this option if central apps are available for Salesforce in your Glean environment.

1. Select Central under the Authenticate section.
2. Click Save.
3. Click Edit settings under the Enable Tools section to make tools visible for all or some users within Glean Chat and Agents.

note

End users are prompted to connect their Salesforce account the first time they run a tool, and tokens are managed centrally thereafter.

Custom authentication (Extension Tools only)

Use this option only if you are using the Salesforce Extension Tools and are either self‑hosted or require a customer‑owned Salesforce OAuth app.

Step 1: Create a new external client app

1. Navigate to Salesforce and log in using your credentials.
2. Click Setup (top right icon).
3. Go to App Manager (search via Quick Find).
4. Click New External Client App. The External Client App Manager page opens.
5. Under Basic information, add the following mandatory details:
   1. External Client App Name: Name your app appropriately to indicate Glean access (e.g., Glean sales app).
   2. API Name.
   3. Contact Email.
   4. Distribution State: Based on your requirements, select either Local or Packaged.
      • Local: Use this if the app will only be used in the current Salesforce org. Local apps cannot be packaged or distributed to other orgs.
      • Packaged: Use this if you plan to include the app in a second-generation (2GP) managed package and distribute it to other Salesforce orgs.

Step 2: Enable OAuth settings

1. Select Enable OAuth.
2. Under App Settings, add the following information:
   1. Callback URL: Copy the Callback URL from the Glean admin console:
      1. Navigate to the Salesforce tools configuration page on the Glean admin console.
      2. Select Custom under the Authenticate section.
      3. Copy the generated Callback URL.
3. Add the following OAuth scopes:
   • Manage user data via APIs (api)
   • Perform requests at anytime (refresh_token, offline_access)
   • Full access (full) — required when setting up Custom authentication for the Salesforce Extension Tools.
4. Based on your requirement, you can either enable or disable the following options:
   • Introspect all Tokens: Allows the app to use the token introspection endpoint of Salesforce to validate and inspect access/refresh tokens across the org. Enable this if you plan to check token status through /services/oauth2/introspect.
   • Configure ID token: Controls how Salesforce issues OpenID Connect ID tokens. If your integration uses the openid scope, enable this to configure ID token behavior; otherwise, leave it disabled.

Step 3: Configure security settings

• Uncheck Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows under Security.

Step 4: Create the app

• Click Create to instantiate the external client app.

Step 5: Copy the Consumer Key and Consumer Secret

After creating the app, extract your credentials from the app details page:

1. Under the Settings tab, navigate to OAuth Settings.
2. Under App Settings, click Consumer Key and Secret.
3. Verify your identity when prompted. Once verified, you will be redirected to the credentials page.
4. Copy the Consumer Key and Consumer Secret and store them securely.

Step 6: Add OAuth Policies

1. Under Apps, go to External Client Apps → External Client Apps Manager.
2. Locate your newly created app and click on it.
3. Under Policies, click Edit.
4. Go to OAuth Policies and set Permitted Users to All users may self-authorize.
5. Click Save.

Step 7: Input credentials in Glean Console

1. Navigate back to the Salesforce tools configuration page on the Glean admin console.
2. Select Custom under the Authenticate section.
3. Paste your copied Client ID (Consumer Key) and Client secret (Consumer Secret).
4. Click Save.

Step 8: Configure surface visibility

Click Edit settings under the Enable Tools section to make tools visible for all or some users within Glean Chat and Agents.

info

Write tools such as Update Opportunity use a review flow by default. Users must confirm proposed changes before Salesforce applies them. To allow specific write tools to run without confirmation, see Inline execution of write tools.

info

Salesforce tools use OAuth for each teammate, and are independent from the Salesforce connector used for search indexing. Connecting or disconnecting one does not affect the other. If a teammate revokes the Glean connected app in Salesforce, they need to re-authorize by running an agent that uses a Salesforce tool and clicking Connect. For more information, see Troubleshooting tools authentication.

See also

• End-user guide for updating opportunities using natural language: Update Salesforce opportunities in Glean
• Full list of available Salesforce tools and their references: Salesforce tools
• How the review flow works for write tools: Human-in-the-loop experience for tools