Skip to content
Textkernel Salesforce Connector
Basic Textkernel Connector setup
latest

Basic Textkernel Connector Setup🔗

Important

The Salesforce user configuring these settings in the Salesforce org must be a System Administrator (or similar profile) to have the appropriate access rights to the settings.

Core Package Installation🔗

  1. Install Textkernel Connector package (see links in Package Descriptions or from the Salesforce AppExchange). Typically the Textkernel Connector App should be visible to Admins (to use Textkernel, Recruiters only need to access a Tab included inside the package, and not the App itself), and the Unlocked Components package should be visible to all users.

  2. This package manages access on a per-user basis, so you need to assign licenses to your admin user as well as your recruiter end users. If users don’t have a license assigned to them, the components will be invisible and/or unusable.

    1. Go to SFDC Setup → Installed Packages

    2. Click on the Manage Licenses link to the left of the Textkernel Connector package. On the next screens you can assign and remove licenses to your users. If you do not have enough licenses available please contact your Textkernel account manager.

  3. The package includes 3 permission sets which should be assigned to users within the Org:

    • Textkernel - Admin Access: This permission set contains maximum access level for all Textkernel objects and tabs and it's intended for the administrative user who sets up and maintains the integration.
    • Textkernel - Manager Access: This permission set allows managers to view reports on Textkernel search usage. It should be used in combination with “Textkernel - Recruiter”.
    • Textkernel - Recruiter Access: This permission set contains access level for all Textkernel objects and tabs that are needed for regular user. It's intended for the recruiters who will use Textkernel use cases inside Salesforce.

    • Go to SFDC Setup → Permission sets

    • Select one of textkernel permission sets
    • Press Manage Assignments button
    • Click Add Assignments button
    • Select users via Checkbox
    • Click Assign button

Configure Textkernel Portal🔗

Note: you can skip this section if you are only using the Recruiter CV Parsing workflow. Textkernel Portal is needed for Search and Match workflows, external Candidate sourcing, Candidate Engagement automtion, and Jobfeed workflows (except the Jobfeed Account import widget).

When using Textkernel Portal, you can configure industry-standard single-sign-on, and quickly provide access to Textkernel’s fully-features user interfaces without needing to build custom code.

Setup Identity Provider🔗

This procedure discusses how to configure Salesforce as your SAML 2.0 Identity Provider, so that Salesforce users will have single-sign on with Textkernel Portal. The configuration process would be different if you are using a different identity provider.

  1. Enable Identity Provider

    SFDC Setup → Identity Provider → Enable Identity Provider

  2. Setup certificate

    Depending on your identify architecture, either create a Self-Signed Certificate or upload your own certificate.

    In order to upload a certificate, go to SFDC Setup → Certificate and Key Management → Press Import From Keystore → Click Choose file button → Upload certificate → Enter password → Press Save button

  3. Configure Textkernel “Portal” Connected app

    SFDC Setup → App manager → “Portal” app dropdown menu → Manage app:

    1. Share your metadata with Textkernel support team: press “Download Metadata” button in SAML Login Information section.

    2. When you receive the confirmation from the Textkernel support team that your metadata has been setup, fill in SAML Service Provider settings. Press Edit policies and configure these fields.

      Important

      Your environment values will be different, these values are provided only as examples. Please contact your assigned Technical Consultant to receive the correct settings.

      • Entity Id: https://sso-staging.textkernel.nl/shibboleth
      • ACS URL: https://sso-staging.textkernel.nl/Shibboleth.sso/SAML2/POST
      • Issuer: https://demo.my.salesforce.com
      • IdP Certificate: Select your preferred certificate from step 2
      • Run As: Select a user that will be used to run the SSO protocol. The "Run As" user should be a standard Salesforce User. The user can be a dedicated integration user or you can re-use another user. The user requires:
        • Access to the "Portal" Connected App (see the next step in the configuration procedure for configuring that access)
        • Textkernel - Admin Access permission set assigned from the Textkernel managed package
        • A license to access Textkernel’s managed package

      Important

      Please make sure that the "Run As" user has read access to the SF User object. This is required for SSO to pass releavant user information to our Textkernel backend and without this your users will not be able to access the portal.

Setup Trusted URL🔗

With Summer '24 Release, Salesforce updated the delivered CSP directives for Lightning pages which can prevent externally hosted fonts, images and external websites from loading within an iframe on your Lightning pages (check release notes). Because of this change, all orgs need to have the Trusted URLs list in Salesforce. Follow below steps to configure it:

  1. Add Trusted URL SFDC Setup → Trusted URLs → New Trusted URL

  2. Once in the Trusted URL Edit view

    a. Add the “TK_Portal” in the field “API Name”.

    b. Add the “URL” for TK domain URL (should have been provided to you by Textkernel).

    c. Make sure the Active checkbox is checked.

    d. Make sure CSP Context is selected as “All”.

    e. Enable CSP Directives - frame-src (iframe content) and img-src (images).

    f. Click “Save”.

SF Trusted URL configuration

To test custom functionality and code that uses a Salesforce session cookie before browsers fully block third-party cookies, Salesforce enabled a setting in Winter '25 Release, which impacts loading of iFrame component (check release notes). This change blocks TK Portal (iFrame component) on Google Chrome and Microsoft Edge browsers (It works on Safari, Firefox and even Chrome Incognito Mode). To ensure that you have the correct settings:

  1. Go to SFDC Setup → My Domain

  2. Scroll down to Routing and Policies section, make sure the Cookies checkbox is unchecked.

SF Cookie settings

Assign access to the “Portal” Connected App for whichever users need access.🔗

Any user (e.g. recruiters or administrators) who will use the Textkernel UI inside the TK Portal iframe needs this access. You can provide access either using Salesforce Profiles or Salesforce Permission Sets within your Org. Use either the Manage Profiles button or the Manage Permission Sets button to assign access as appropriate. If a Salesforce User attempts to access the Textkernel Portal Tab without the access permission, they see a standard Salesforce error message saying “Insufficient Privileges”.

Profiles and permission sets

Configure Textkernel Portal settings🔗

The Textkernel App is included in the managed package, and is where an Administrator user configures the integration. Within the app, the Textkernel Portal page is where you configure your settings if you are using the Textkernel Portal tab in your integration.

Note

Even if you don't plan for your recruiters to use Textkernel Portal UI, it is often useful as a tool to see what data is visible in the Textkernel search index. So, we recommend that this always be setup and available to the administrative users.

  1. Go to Textkernel App → Search and Match Setup → Textkernel portal settings tab
  2. Enter the Textkernel portal endpoint (you will receive this information from Textkernel customer support)

    Portal endpoint

  3. Specify Portal account credentials (you will receive this information from Textkernel customer support)

    Portal account credentials

  4. Specify when to Remove inactive Salesforce users.

    This is a scheduled background job that runs periodically to check to see if Salesforce users have become inactive. If there are inactive Salesforce users, then the job makes sure they are deactivated in Textkernel Portal, too, so that user access is kept synchronized between Salesforce and Textkernel Portal.

    Remove inactive Salesforce users

Configure Connected App and Automation API Webhook🔗

Several integration features use OAuth 2.0 to authenticate backend machine-to-machine communication so that Textkernel can use the Salesforce REST APIs. Some of those features additionally use the Textkernel Automation API webhook protocol.

  • Candidate engagement automation (OAuth 2.0 only)
  • External candidate importing from Source (OAuth 2.0 and Webhook)
  • High-throughput indexation addon (OAuth 2.0 only)
  • Search and match automation (OAuth 2.0 and Webhook)

For these features, you need to perform this configuration.

Important

Features using the OAuth 2.0 Connected App make calls from Textkernel into Salesforce APIs. You should monitor your org's overall API usage to ensure you don't exceed your daily limits.

Important

This feature uses Salesforce's support for a Connected App with the OAUTH 2 client credentials grant. Salesforce's infrastructure requires an integration user to be setup and assigned the system permission API Only User. However, several org types do not offer this feature, and as a result they do not support the external Candidate import feature. Unsupported Salesforce Org types:

  1. Developer orgs
  2. Scratch orgs (unless you use the Salesforce "Org Shape" feature to copy from an Enterprise edition)
  3. Essentials edition orgs
  4. Professional edition orgs

Setup Integration User🔗

The integration user is associated with the Connected App. The changes made via the Connected App are executed by this integration user inside Salesforce. The user cannot be an interactive user who logs into the Salesforce UI, or it will not work.

Go to Salesforce setup → Users → Click "New User" button

Complete the form, making sure you select:

  • User License: Salesforce
  • Profile: Standard User

Login the first time, and select a password to fully activate the user.

Create Permission Set🔗

  1. Create a new Permission Set. This will be used to assign the necessary permissions to the integration user.

  2. Go to Salesforce setup → Permission sets.

  3. Click the "New" button.

  4. Assign the permission set Label and API Name.

  5. Click Save.

  6. You are redirected to the newly created Permission set.

  7. Scroll down and click on the section System Permissions.

  8. On the System Permissions page click the "Edit" button.

  9. Set the API Enabled checkbox to true.

  10. Set the Api Only User checkbox to true.

  11. Click "Save".

API Only Permissions

(Optional) procedure when you are using the automation api webhook🔗

Perform this configuration if you are using the automation API webhook to importing external candidate profiles from Textkernel Source, or importing automatic matches from the Textkernel platform.

  1. Next, select the section Apex Class Access

  2. Click Edit

  3. Add Textkernel1.AutomationApiRestService to the "Enabled Apex Classes"

APEX Class Access Permission

  1. Click Save button

Assign permissions to the integration user🔗

The integration user needs several permission sets for the integration to work:

  1. Textkernel - Admin Access, which gives the user access to the Textkernel managed package contents.

  2. The dedicated permission set created above, which makes the integration user API-only and gives it access to the automation API webhook APEX handler if you are using that feature.

  3. (OPTIONAL) if you are using the high-throughput indexation Addon, some additional permissions are needed:

    • Textkernel - High Throughput Indexation Access - this permission set enables the feature, so if you remove this permission set from the integration user, it disables the feature.
    • In addition, the integration user needs to have the permissions to read data from all the objects and fields that are mapped for indexation into Textkernel.
  4. (OPTIONAL) if you are using Candidate Engagement, the integration user needs permission to read data from the Salesforce objects and fields that will trigger the automations. For example, if the automation needs to read a candidate phone number field to send them a WhatsApp message, then the integration user needs access to that field (for all the candidates that the automation may need to contact). Assess which objects in your workflow will be used and assign permissions as needed. It might also be a job object, job submission object, etc.

Create Connected App🔗

Now you will create a Connected App that configures Salesforce to enable Textkernel to connect using the OAuth 2.0 client credentials grant protocol

  1. Go to Salesforce Setup → App Manager

  2. Click "New Connected App"

  3. Enter required information for your Connected App to uniquely identify it: Name, API Name and Contact Email

  4. Set the checkbox to True for Enable OAuth Settings

  5. Set the Callback URL to https://login.salesforce.com (for production Salesforce orgs)

  6. Under Selected OAuth Scopes select:

    a. Manage User data via APIs (api)

    b. Perform requests at any time (refresh_token, offline_access)

  7. Set the checkbox to true for Enable Client Credentials Flow. Click "Okay" when you see the information message pop up: “Anyone with the consumer key and consumer secret can access your org on behalf of the selected user.”

  8. Click "Save"

OAUTH Scopes

  1. Click "Continue" when you see the standard message: “Changes can take up to 10 minutes to take effect. Deleting a parent org also deletes all connected apps with OAuth settings enabled.”

  2. Go back to Salesforce Setup → App Manager, find the Connected App that you just created and select "Manage" from the menu at the right

  3. Click Edit Policies

  4. In the Oauth Policies section, enable Permitted Users to All users may self-authorize

  5. In the User Provisioning Settings, set Enable User Provisioning to true

  6. In the Client Credentials Flow section, use the Run As field to select the Integration User you've previously configured above

  7. Save your changes.

User provisioning

Gather information for Textkernel activation🔗

In order for Textkernel to use the OAuth 2.0 protocol, the Textkernel implementation consultant needs the following information:

  • OAuth 2.0 Consumer Key
  • OAuth 2.0 Consumer Secret
  • OAuth 2.0 Token URL

You will need to securely provide that information to Textkernel.

OAuth Consumer Key and Consumer Secret🔗

  1. Go back to Salesforce setup → App Manager

  2. Click View on the Connected App you've just created

  3. Under the API (Enable OAuth Settings) section click Manage Consumer Details.

  4. When the button is clicked, for security, Salesforce will re-validate your login information. A Verify Your Identity page will open, and a verification code will be emailed to you. Use the code to complete the verification process.

Verify identify

  1. Afterwards, you will be redirected to a page listing the Consumer Key and Consumer Secret

Key and Secret

OAuth Token URL🔗

  1. Token URL will be in the following format: https://ORG_DOMAIN.my.salesforce.com/services/oauth2/token

Where ORG_DOMAIN is your Salesforce custom domain. Note that you need the full domain name including my.salesforce.com

(Optional) Automation API Webhook URL🔗

You only need to provide this if you are using the Automation API webhook.

After configuration, the Webhook URL will be in the following format: https://ORG_DOMAIN.my.salesforce.com/services/apexrest/Textkernel1/AUTOMATION_API_WEBHOOK

Where ORG_DOMAIN is your Salesforce custom domain. Note that you need the full domain name including my.salesforce.com