Nuevo: AIBOM: una lista de materiales en vivo de cada agente, herramienta y conector. Ver cómo
Docs / Agentes integrados en SaaS / Salesforce Agentforce

Salesforce Agentforce

The Salesforce connector discovers your org's Agentforce agents, imports setup-audit activity as MITRITY audit events, and reads org security posture — through a connected app authenticated with the OAuth2 JWT-bearer flow. It never writes to your org.

Read SaaS-Embedded Agent Governance first for the connector model; this page covers Salesforce specifics.

What it discovers

  • Agentforce agents configured in the org, added to your Agents inventory with state discovered.

Requirements

RequirementDetail
EditionAny org for Discover + Posture + basic Observe. Richer telemetry (EventLogFile) needs the Event Monitoring add-on — see below.
RoleA System Administrator to create the connected app and pre-authorize the integration user.
MITRITY planPro or Enterprise; Owner or Manager role.

Step 1 — Generate a key pair

The JWT-bearer flow signs a token with a private key; Salesforce verifies it with the matching certificate. Generate a self-signed pair:

openssl req -x509 -sha256 -nodes -days 730 \
  -newkey rsa:2048 -keyout mitrity.key -out mitrity.crt
  • mitrity.key — the private key MITRITY stores (encrypted). Never upload this to Salesforce.
  • mitrity.crt — the certificate you upload to the connected app in Step 2.

Step 2 — Create a connected app for JWT-bearer

  1. In Salesforce Setup → App Manager → New Connected App.
  2. Enable OAuth Settings. Set a placeholder callback URL (the JWT-bearer flow does not use it).
  3. Check Use digital signatures and upload mitrity.crt.
  4. Add read-only OAuth scopes — at minimum Manage user data via APIs (api); add Perform requests at any time (refresh_token, offline_access).
  5. Save, then open the app and copy the Consumer Key — this is the connector's Client ID.

Step 3 — Pre-authorize an integration user

  1. On the connected app, open Manage → Edit Policies and set Permitted Users to Admin approved users are pre-authorized.
  2. Assign the connected app to a profile or permission set held by a dedicated integration user (read-only is sufficient for the connector).
  3. The Username of that integration user is what you enter in MITRITY.

Step 4 — Connect in MITRITY

In Settings → Platforms → Connect a platform, choose Salesforce and provide:

FieldValue
Account / OrganizationYour Salesforce org ID or My Domain host, e.g. acme.my.salesforce.com
Connected-app private key (PEM)The contents of mitrity.key from Step 1
Client IDThe Consumer Key from Step 2
UsernameThe integration user's username, e.g. integration@acme.com
Login URLhttps://login.salesforce.com (or https://test.salesforce.com for a sandbox)

Save, then click Sync now. The connector signs a JWT with your private key, exchanges it for an access token and the org's instance_url at sync time, and runs Discover → Observe → Posture.

Observe — SetupAuditTrail vs Event Monitoring

By default the connector imports activity from SetupAuditTrail, which every org has. Salesforce's richer EventLogFile telemetry is part of the paid Event Monitoring add-on; if your org does not have it, the connector degrades to SetupAuditTrail rather than failing. Imported events carry source = salesforce, are marked observed (recorded, not gated), and flow to the audit log, Insights, and any configured SIEM destination.

Posture

The connector reads org security-configuration proxies and records them as findings (OK / Warning / Unknown). A control it cannot read is recorded as Unknown, never OK. See Posture & Security.

Governing a discovered agent

Assign a policy to a discovered agent to move it to governed (governance mode Constrained), or suppress it. Agentforce agents are observed, not enforced in-band, in this release — see read-only by design.

Salesforce Agentforce — Documentation | MITRITY