How to address Pardot issues related to the Salesforce outage

On May 11, 2021, Salesforce and Pardot users experienced a Salesforce outage related to a domain name service (DNS) issue. Salesforce was down for about four hours because of an “emergency break fix” that wasn’t successful.

The Salesforce outage affected Pardot. However, Pardot remained up and running even if marketers couldn’t log in to their specific instances.

As always, you can check https://status.salesforce.com/ to find information about ongoing issues that could potentially affect your Salesforce org.

Around 5 p.m. Eastern Standard Time, marketers noticed they couldn’t log into the CRM or Pardot. Salesforce was actively restoring services at 8:30 p.m. EST, and the team restored many services that were impacted by that time.

Resolved-Multiple Salesforce Applications Disrupted

Were Pardot end users affected by the Salesforce outage?

Pardot end users likely did not experience the effects of the outage.

It is currently looking like the outage may have caused a few delayed emails and delayed sales people callbacks. However, we’re expecting these small delays to be all end users will experience during this outage event. 

How did the Salesforce outage affect Pardot?

Salesforce co-founder and chief technology officer Parker Harris commented on the outage via Tweet. He said the base issue causing the Salesforce outage was related to the domain name system (DNS). 

The DNS issue affected Pardot by restricting access to the CRM, which caused the Pardot-Salesforce connector to become unavailable. 

In addition, Pardot sends emails using Marketing Cloud send services (at least as far as DNS naming organizes them). So, Pardot was most likely unable to send emails during the outage.

Pardot authentication happens on Saleforce.com services, so Pardot users were not able to to log in during the outage. This login unavailability impacted both marketers trying to log in as well as API authentications. 

Next steps for Pardot users now that service is restored

The core of Pardot was unaffected. But we do have some things to check around the edges of Pardot where it interacts with other Salesforce services. 

Here’s how you can stay ahead of potential issues that may have been caused by the Salesforce outage:

Check new leads or prospects

Spot-check any leads that came in on form fills during the connectivity outage. Make sure new leads made their way into the CRM correctly. 

Look at your busiest forms and form handlers that have completion actions to sync to Salesforce. Make sure all prospects have the Salesforce cloud icons you expect. If they do not appear to be syncing, open the prospect record and click “Sync with CRM.”

Verify Pardot successfully delivered emails during Salesforce outage

The Salesforce outage may have delayed email delivery. It appears as though Pardot couldn’t communicate with outbound email servers. Look at reporting for any email campaigns or you scheduled for delivery on May 11, 2021. Also, check any autoresponders that may be connected to form fills to ensure everything was delivered as expected. 

Verifying Pardot sent your emails can give you assurance that the outage didn’t affect your campaigns. But remember, email is a fault-tolerant service, and any sending issues will fix itself automatically. Or, the Pardot team will push the buttons to make this right for us.

Monitor API integrations

Third-party integrations likely lost the ability to sync with Pardot during the outage event. However, the ways in which the outage affected APIs depends on how the integration was built to deal with these situations. 

Here are three ways your APIs may respond to outages.

The API:

  • Will automatically retry to connect, and the data should have made its way into Pardot with no issues. 
  • May have retried and stopped after too many unsuccessful attempts, so we don’t have the data in Pardot. 
  • May not retry to connect, so we don’t have the data in Pardot. 

You will need to check your Pardot tool integrations and figure out how to sync any missing data. You can likely sync missing data by manually pushing ‘retry’ in each tool. Or, you can use the normal export process to import data into Pardot just like we do when we don’t have the tools integrated. 

What is DNS?

DNS or Domain Name System is effectively the computers ‘phone book’. This is the system that translates ‘TheSpotForPardot.com’ to the IP address (kinda like a phone number) that computers use to talk to each other. So with a DNS issue, the computer’s phone books to each other don’t work right. They can’t correctly talk to each other. 

Pardot and the Pardot services didn’t have any DNS issues during this time, but rather the Saleforce platform infrastructure had DNS issues. So, the world could interact with Pardot services just fine — it continued to collect forms, deliver whitepapers, etc. 

Pardot just couldn’t talk to Salesforce services, which includes authentication for logging in.

If you’re seeing connector issues, check out this resource to troubleshoot for common Pardot-Salesforce connector issues.

Get help from Pardot consultants

If all else fails and you’re completely lost in Salesforce outage freakout mode, then we’d love to talk to you. 

The Sercante Pardot consultant team knows a thing or two about Salesforce outages and how they affect Pardot orgs. Contact us to chat.

The post How to address Pardot issues related to the Salesforce outage appeared first on The Spot For Pardot.

How to address Pardot issues related to the Salesforce outage

On May 11, 2021, Salesforce and Pardot users experienced a Salesforce outage related to a domain name service (DNS) issue. Salesforce was down for about four hours because of an “emergency break fix” that wasn’t successful.

The Salesforce outage affected Pardot. However, Pardot remained up and running even if marketers couldn’t log in to their specific instances.

As always, you can check https://status.salesforce.com/ to find information about ongoing issues that could potentially affect your Salesforce org.

Around 5 p.m. Eastern Standard Time, marketers noticed they couldn’t log into the CRM or Pardot. Salesforce was actively restoring services at 8:30 p.m. EST, and the team restored many services that were impacted by that time.

Resolved-Multiple Salesforce Applications Disrupted

Were Pardot end users affected by the Salesforce outage?

Pardot end users likely did not experience the effects of the outage.

It is currently looking like the outage may have caused a few delayed emails and delayed sales people callbacks. However, we’re expecting these small delays to be all end users will experience during this outage event. 

How did the Salesforce outage affect Pardot?

Salesforce co-founder and chief technology officer Parker Harris commented on the outage via Tweet. He said the base issue causing the Salesforce outage was related to the domain name system (DNS). 

The DNS issue affected Pardot by restricting access to the CRM, which caused the Pardot-Salesforce connector to become unavailable. 

In addition, Pardot sends emails using Marketing Cloud send services (at least as far as DNS naming organizes them). So, Pardot was most likely unable to send emails during the outage.

Pardot authentication happens on Saleforce.com services, so Pardot users were not able to to log in during the outage. This login unavailability impacted both marketers trying to log in as well as API authentications. 

Next steps for Pardot users now that service is restored

The core of Pardot was unaffected. But we do have some things to check around the edges of Pardot where it interacts with other Salesforce services. 

Here’s how you can stay ahead of potential issues that may have been caused by the Salesforce outage:

Check new leads or prospects

Spot-check any leads that came in on form fills during the connectivity outage. Make sure new leads made their way into the CRM correctly. 

Look at your busiest forms and form handlers that have completion actions to sync to Salesforce. Make sure all prospects have the Salesforce cloud icons you expect. If they do not appear to be syncing, open the prospect record and click “Sync with CRM.”

Verify Pardot successfully delivered emails during Salesforce outage

The Salesforce outage may have delayed email delivery. It appears as though Pardot couldn’t communicate with outbound email servers. Look at reporting for any email campaigns or you scheduled for delivery on May 11, 2021. Also, check any autoresponders that may be connected to form fills to ensure everything was delivered as expected. 

Verifying Pardot sent your emails can give you assurance that the outage didn’t affect your campaigns. But remember, email is a fault-tolerant service, and any sending issues will fix itself automatically. Or, the Pardot team will push the buttons to make this right for us.

Monitor API integrations

Third-party integrations likely lost the ability to sync with Pardot during the outage event. However, the ways in which the outage affected APIs depends on how the integration was built to deal with these situations. 

Here are three ways your APIs may respond to outages.

The API:

  • Will automatically retry to connect, and the data should have made its way into Pardot with no issues. 
  • May have retried and stopped after too many unsuccessful attempts, so we don’t have the data in Pardot. 
  • May not retry to connect, so we don’t have the data in Pardot. 

You will need to check your Pardot tool integrations and figure out how to sync any missing data. You can likely sync missing data by manually pushing ‘retry’ in each tool. Or, you can use the normal export process to import data into Pardot just like we do when we don’t have the tools integrated. 

What is DNS?

DNS or Domain Name System is effectively the computers ‘phone book’. This is the system that translates ‘TheSpotForPardot.com’ to the IP address (kinda like a phone number) that computers use to talk to each other. So with a DNS issue, the computer’s phone books to each other don’t work right. They can’t correctly talk to each other. 

Pardot and the Pardot services didn’t have any DNS issues during this time, but rather the Saleforce platform infrastructure had DNS issues. So, the world could interact with Pardot services just fine — it continued to collect forms, deliver whitepapers, etc. 

Pardot just couldn’t talk to Salesforce services, which includes authentication for logging in.

If you’re seeing connector issues, check out this resource to troubleshoot for common Pardot-Salesforce connector issues.

Get help from Pardot consultants

If all else fails and you’re completely lost in Salesforce outage freakout mode, then we’d love to talk to you. 

The Sercante Pardot consultant team knows a thing or two about Salesforce outages and how they affect Pardot orgs. Contact us to chat.

The post How to address Pardot issues related to the Salesforce outage appeared first on The Spot For Pardot.

Getting a List of Pardot Business Units For Your App – Programmatically

As our Pardot integrations are coping and adjusting to using the Pardot API with Salesforce SSO users, one of the new requirements is to provide the Pardot Business Unit ID in each API request. It is easy for Salesforce Administrators to get the ID, but what if we could do this with code? 

Right now, most Apps are directing Salesforce Administrators to grab the Pardot Business Unit ID  by going through these simple steps:

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to Pardot Setup Home under Platform Tools > Pardot
  3. Next, click Assign Admin

4. On this page, you will see your Business Unit Id. Note: some people might have many Business Units!

Currently, this step can leave room for configuration errors. So now that we know how to ask for a Business Unit ID, let’s look at how  we can do this with code?  Well as you might have noticed, the Business Unit ID is a Salesforce record Id, and after a little discovery we learned that the Salesforce object name is PardotTenant.

Working with PardotTenant – REST API

Disclaimer: at the time of writing, PardotTenant is not documented and the Metadata Coverage Report shows basically nothing is supported.

That’s ok, as developers we are used to wanting documentation right! So let’s use Salesforce’s standard functionality to learn as much as we can.  For this exploring, we will be using the Workbench: REST Explorer.

Once you are logged in, we will use a GET request with the following path: /services/data/v50.0/sobjects/PardotTenant/describe

Here’s a breakdown of what we think the key fields are and what we can use:

  • Id: The Business Unit Id that is used for the API
  • PardotTenantName: The Business Unit Name that we see beside the ID in Setup.
  • PardotTenantAccountType: We’ve seen Production and Demo as values, could be used to determine which Pardot URL to use for the API
  • PardotTenantId: The Pardot Account ID that you see in Account Information in Pardot’s Settings page.

Now that we know what the fields are and what may be of use to us (for the application we are working on right?), we can use a new REST call to get the list of PardotTenants with the following path: /services/data/v50.0/query?q=SELECT+Id,+PardotTenantName,+PardotTenantAccountType,+PardotTenantId+FROM+PardotTenant

Great, we know what REST calls need to be made and the format of the response. The tricky part is getting our Connected App to be correctly configured to enable us to get the information we need.

There are 2 key things that you need to be able to use the Salesforce REST API and get a list of Pardot Business Units.

  1. A Connected App which includes the API scope.
  2. A Salesforce User with at least a Platform license.

Needing at least a platform license is where things can get tricky.  Normally for working with the Pardot API, a User with the Identity License (along with the Connected App) is good enough.  Identity Licenses don’t provide access to most of the Pardot objects, PardotTenant included.

Troubleshooting REST Errors

This is pretty tricky, and even just writing this post I came across a few errors.

Session is not valid

[{"message": "This session is not valid for use with the REST API", "errorCode": "INVALID_SESSION_ID"}]

You will get this error if your Connected App is missing the API scope, even if your Salesforce User can see the PardotTenant object.  Simply edit your Connected App, add the API scope, wait a few minutes and then try again.

Invalid Type or The Requested Resource Does Not Exist

There could be 2 causes for you getting one of these 2 errors.

The first is that the Salesforce Org you are connecting to just might not have Pardot setup. Pretty easy to check why.

The next (that I’m not 100% sure why yet) seems to be when I used an Access Token that I received from a Username/Password Oauth authentication request, but when I issued a JWT Bearer flow authentication request this worked fine.  For production-level code, it’s best to not use Username/Password flows anyways, but during experimentation this might cause a small issue.

Working with PardotTenant – APEX

This is pretty simple, we can use a plain old SOQL statement to retrieve the information we need.

List<PardotTenant> pardotTenants = [
        SELECT Id, PardotTenantName, PardotTenantAccountType, PardotTenantId
        FROM PardotTenant
        WHERE IsDeleted = false];

However, if you are working on a Managed Package, you might get a lot of packaging complaints about PardotTenant not being available to you. In that case, you can do something a little more dynamic:

public List<PardotTenantDto> getBusinessUnits() {
        List<sObject> pardotTenants = Database.query(
                'SELECT Id, PardotTenantName FROM PardotTenant WHERE IsDeleted = false');

        List<PardotTenantDto> businessUnits = new List<PardotTenantDto>();
        for(sObject pardotTenant : pardotTenants) {
            businessUnits.add(new PardotTenantDto(
                    (String)pardotTenant.get('Id'),
                    (String)pardotTenant.get('PardotTenantName')
            ));
        }
        return businessUnits;
    }

Conclusion

Depending on your app, it might provide a better user experience to allow users setting up their Pardot connection to select from a list of Pardot Business Units, in order to help reduce the chance of configuration errors. Exploring the PardotTenant object might be a great way to get you to being able to do this. Have questions or need help exploring if this is the right path for your app? We would love to help. Reach out or shoot a question in the comments.

The post Getting a List of Pardot Business Units For Your App – Programmatically appeared first on The Spot For Pardot.

By |2021-03-08T18:29:51+00:00March 8th, 2021|Categories: Integration, Pardot SSO Update|

Can’t Sign In To Pardot: Salesforce SSO Now Required

As Salesforce continues to rolls out Pardot SSO across all accounts, many Pardot users are now being greeted with the following error message when trying to login to Pardot:

“Can’t sign in: Salesforce single sign-on (SSO) is required to log in to Pardot. If you don’t have Salesforce login, contact your Pardot admin.” 

What Does This Mean 

Back in June 2020, Salesforce announced they were discontinuing Pardot-Only Users & moving to SSO. Beginning on February 15, 2021 and coinciding with the Spring ’21 release, Pardot’s user authentication system has been discontinued and all users will be required to use Salesforce single sign-on (SSO). All Pardot users not enabled with Salesforce SSO by Spring ‘21 will lose the ability to log into Pardot until they are connected to a Salesforce user. This affects your users with Pardot-only access, your integrations that use the Pardot API, as well as the Pardot WordPress plugin. 

How To Fix It – Get Back Into Pardot

Simply put, in order to get back into your Pardot org, you will need to go through the process to setup Pardot Single Sign On for both human users and API users. To do this, you will need to connect all Pardot users to Salesforce users, enable SSO and configure User Sync. 

But wait, do I have to purchase Salesforce licenses? It Depends. Salesforce provides 100 “Identity User” licenses that can be used to create Pardot-only Salesforce user records (those users not needing Salesforce access). If this number is not enough, additional licenses will need to be purchased.

Pardot User Migration Steps: 

  1. Identify Pardot only users
  2. Identify users that are tied to an API integration. Set aside temporarily. These users need to be managed differently.
  3. Identify users that do not have a Salesforce user record and create a record for them.
  4. Map each Pardot user to the corresponding Salesforce user
  5. Enable SSO for those users.
  6. Update API users to be SSO compliant (steps 3-5) and update API Integrations to use SSO users
  7. Enable Salesforce User Sync
  8. Confirm users can access Pardot via their Salesforce credentials

We Can Help – Setting Up Pardot SSO

If you need help with getting Pardot SSO setup, we would love to review the Pardot User Migration guide with your team, discuss any nuances specific to your org, and develop a plan to minimize impact on your plans this year. Let’s Get Started 

The post Can’t Sign In To Pardot: Salesforce SSO Now Required appeared first on The Spot For Pardot.

By |2021-02-22T19:51:31+00:00February 22nd, 2021|Categories: Pardot SSO Update|

Pardot API and Getting Ready with Salesforce SSO Users Part 3A: Connecting to Pardot API from APEX

The Pardot User-Migration deadline is fast approaching. There is a lot of guidance on setting up our human users for success, but what about our code? Currently, there is a lack of specifics available on how to make changes to custom code & scripts that talk to the Pardot API. So we wrote this guide specifically for connecting Pardot API from APEX

Also See Part 3B: Connecting to Pardot API from Custom Code.

We’ve come across our fair share of APEX code written in Salesforce that works with the Pardot API, and in the past it was fairly simple to set up. Just get the username, password and API key of the Pardot User, copy some APEX code examples and you were ready to go.  Now that we need to authenticate through Salesforce SSO, we’ve taken the time to detail out what you need to set up. Hang on, as there’s a lot to do. In summary we will:

  1. Create a new User for this integration
  2. Create a Salesforce Self-Signed Certificate
  3. Create a Connected App, allowing our User to be pre-authorized
  4. Create a Named Credential
  5. Write some Basic APEX that demonstrates this all working

Step 1: Create a new User

It is our recommended advice that each integration has its own user. For this Pardot integration, a Salesforce User (with an Identity License profile) linked to a Pardot SSO User should be sufficient.

In Salesforce, create a new user, commonly using the Identity Profile.

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to Users under Administration > Users, click on New User
  3. Use the following values (or use whatever makes sense for you)
    1. First Name: Pardot
    2. Last Name: APEX
    3. Alias: pdotapex
    4. Email: use an email address you have access to
    5. Username: create a username that uniquely identifies this integration
    6. User License: Identity
  4. When complete, the section should look like this
  5. Using the Salesforce activation email, be sure to login, which will ask you to set a password and recovery options. Save this info somewhere.
  6. If you are using User Sync, complete one more step: in Salesforce Setup navigate to Pardot Setup > Account Setup > Manage Users. Edit User Assignments and make sure your new user is Selected (or is added as a member of a selected group or role).

In Pardot, create a new user (skip step 1 if you are not using User Sync): 

  1. If you are using User Sync, update the profile and role mapping to make sure the Salesforce profile (e.g. Identity User) is mapped to a Pardot Role that matches the abilities you want your API integration to have.
  2. Navigate to the Users page in Pardot by navigating to Admin (Pardot Settings in the Lightning app), and then User Management | Users.
  3. Click the +Add User button and complete the required information, using the same values (where possible) that you used when creating the Salesforce User
  4. In the CRM Username dropdown menu, select the new API integration User you created in Salesforce.
  5. When complete, the section should look like this
  6. After saving the new User record, click the “Enable Salesforce single sign-on” link. (If you have already enabled User Sync for this user/profile, this will be completed automatically.)

A Permission Set is what will enable our User to connect via the Connected App without needing to manually authorize it.

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to Permission Sets under Administration > Users, click on New
  3. Use the following values (or use whatever makes sense for you)
    1. Label: Pardot API Access
    2. API Name: let it auto populate
    3. Description: Grants access to Pardot via API. No permissions specified
    4. Click Save
  4. Add the new Permission Set to the User created/chosen above
    1. When viewing the Permission Set, click Manage Assignments
    2. Click Add Assignments, and select the correct User

Step 2: Create a Salesforce Self-Signed Certificate

Certificates are actually composed of 2 pieces: a private key (often called just a key) and a public key (often called just a cert/certificate). For our purposes, the private key is used to “prove” that it is actually your code that is trying to login, and is the reason that passwords and security tokens are not required. For our purposes, the public key is used to verify that the correct (authorized) process is trying to access Salesforce.

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to Certificate and Key Management under Security, click Create Self-Signed Certificate
  3. Use the following values (or use whatever makes sense for you)
    1. Label: Pardot Integration Certificate
    2. Unique Name: let it auto populate
    3. Key Size: Leave it as the default value
  4. When complete, the section should look like this:
  5. Save the Certificate
  6. Once saved, click the Download Certificate button, as  you will need it when setting up the Connected App later on.

It is important to note that this certificate is only going to be valid for 1 year. You can create a longer-lived certificate, but you will have to import it from a Keystore and we will leave that for another blog post.

Step 3: Create the Connected App

A Salesforce Connected App is how you enable external code / systems access to use the Salesforce API.  Now it may seem a little weird as your APEX is already inside Salesforce, however the Authentication methods work the same way.

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to App Manager under Platform Tools > Apps, click on New Connected App
  3. Use the following values for Basic Information
    1. Connected App Name: APEX Access to Pardot
    2. API Name: (let it auto populate, or make up your own name)
    3. Contact Email: use a company email address
    4. Description: Grants access to Pardot from our APEX
    5. When complete, the section should look like this:
  4. Use the following values for API (Enable OAuth Settings)
    1. Enable OAuth Settings: Checked
    2. Callback URL: https://login.salesforce.com/services/oauth2/callback
    3. Use digital signatures: Checked
    4. Browse: Use the certificate you downloaded earlier
    5. Selected OAuth Scopes:
      1. pardot_api (allows you to actually call the Pardot API
      2. offline_access (allows your code to make API calls when it needs to)
    6. When complete, the section should look like this:
  5. Save the new Connected App, click Continue after observing the warning
  6. From the Saved Record screen, take special note of the Consumer Key, you will need to use it in your APEX

Pre Authorize User to use Pardot API

Regardless of how the Connected App was set up (above), we need to pre-authorize the correct user to use the Pardot API.

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to App Manager under Platform Tools > Apps, find the APEX Access to Pardot app, click the drop down menu and then Manage
  3. Click Edit Policies
  4. Under OAuth Policies > Permitted Users, change to: Admin approved users are pre-authorized, Save
  5. Back at the Connected App, new sections have appeared. In Permission Sets, click Manage Permission Sets
  6. Assign the Pardot API Access permission set

Step 4: Create a Named Credential

The Named Credential is what allows your APEX code to login and be able to actually use the Pardot API.

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to Named Credentials under Security, click New Named Credential
  3. Use the following values
    1. Label: APEX Pardot Credential
    2. Name: (let it auto populate, or make your own name)
    3. URL: https://pi.pardot.com/api (adjust if https://pi.demo.pardot.com/api)
    4. Certificate: leave this blank, this is used for 2-way SSL connections
    5. Identity Type: Named Principal
    6. Authentication Protocol: JWT Token Exchange
    7. Token Endpoint URL: https://login.salesforce.com/services/oauth2/token (adjust if test.salesforce.com)
    8. Issuer: OAuth Consumer Key that you created earlier
    9. Named Principal Subject: The username of the User you want to use (from the first steps of this post)
    10. Audiences: https://login.salesforce.com (adjust if required)
    11. Token Valid for: 30 Seconds
    12. JWT Signing Certificate: Pardot Integration Certificate
    13. Callout Options: leave all these at their default settings.
  4. When complete, this section should look like this
  5. Save

Sample Working APEX

The following APEX code can be called to demonstrate a working solution.

public class PardotTesting {
    public static void tryItOut() {
        HttpRequest req = new HttpRequest();
        req.setEndpoint(‘callout:APEX_Pardot_Credential/account/version/4/do/read?format=json’);
        req.setHeader(‘Pardot-Business-Unit-Id’, ‘0Uv4W0000000056SAA’);
        req.setMethod(‘GET’);
        Http http = new Http();
        HTTPResponse res = http.send(req);
        //Ideally you would parse the JSON response and work with it
        System.debug(res.getBody());
    }
}
Key things to note:  Setting the Request’s Endpoint, the Name of the Named Credential is used in the String. Following the Named Credential is the rest of the Pardot API endpoint you want to hit.

Conclusion 

Following the above steps will get your code ready for SSO in preparation for the February 15th deadline. Have some additional insights? We would love for you to  share your experiences and tips as you work through getting your code ready for SSO. Stuck and need help – let us know and we would be glad to help audit your unique instance needs

CONTINUE READING:
Pardot API and Getting Ready with Salesforce SSO Users Series: 

The post Pardot API and Getting Ready with Salesforce SSO Users Part 3A: Connecting to Pardot API from APEX appeared first on The Spot For Pardot.

By |2021-02-02T16:43:28+00:00February 2nd, 2021|Categories: Pardot SSO Update|

Pardot API and Getting Ready with Salesforce SSO Users Part 3B: Connecting to Pardot API from Code

The Salesforce SSO deadline is fast approaching, and there isn’t a lot of specifics out there on how to make changes to our custom code & scripts that talk to the Pardot API. There is a lot of guidance on setting up our human users for success, but what about our code? So we wrote this guide specifically for connecting Pardot API from Custom Code

Also See Part 3A: Connecting to Pardot API from APEX

We’ve come across our fair share of custom code that works with the Pardot API, and in the past it was really easy to set up. Just get the username, password and API key of the Pardot User, copy some code examples and you were ready to go.  Now that we need to authenticate through Salesforce SSO, we’ve got the details here on what you need to set up. Hang on, as there’s a lot to do. In summary we will:

  1. Create a new User for this integration
  2. Create a Self Signed Certificate
  3. Create a Connected App, allowing our User to be pre-authorized
  4. Run some custom code, with examples in different languages

Create a new User

It is our recommended advice that each integration has its own user. For this Pardot integration, a User with an Identity License profile should be sufficient.

In Salesforce, create a new user, possibly using the Identity Profile.

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to Users under Administration > Users, click on New User
  3. Use the following values (or use whatever makes sense for you)
    1. First Name: Pardot
    2. Last Name: Python
    3. Alias: pypardot
    4. Email: use an email address you have access to
    5. Username: create a username that uniquely identifies this integration
    6. User License: Identity
  4. When complete, the section should look like this
  5. Using the Salesforce activation email, be sure to login which asks you to set a password and recovery options. Save this info somewhere.
  6. If you are using User Sync, complete one more step: in Salesforce Setup navigate to Pardot Setup > Account Setup > Manage Users. Edit User Assignments and make sure your new user is Selected (or is added as a member of a selected group or role).

In Pardot, create a new user (skip step 1 if you are not using User Sync): 

  1. If you are using User Sync, update the profile and role mapping to make sure the Salesforce profile (e.g. Identity User) is mapped to a Pardot Role that matches the abilities you want your API integration to have.
  2. Navigate to the Users page in Pardot by navigating to Admin (Pardot Settings in the Lightning app), and then User Management | Users.
  3. Click the +Add User button and complete the required information, using the same values (where possible) that you used when creating the Salesforce User
  4. In the CRM Username dropdown menu, select the new API integration User you created in Salesforce.
  5. When complete, the section should look like this
  6. After saving the new User record, click the “Enable Salesforce single sign-on” link. (If you have already enabled User Sync for this user/profile, this will be completed automatically.)

A Permission Set is what will enable our User to connect via the Connected App without needing to manually authorize it.

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to Permission Sets under Administration > Users, click on New
  3. Use the following values (or use whatever makes sense for you)
    1. Label: Pardot API Access
    2. API Name: let it auto populate
    3. Description: Grants access to Pardot via API. No permissions specified
    4. Click Save
  4. Add the new Permission Set to the User created/chosen above
    1. When viewing the Permission Set, click Manage Assignments
    2. Click Add Assignments, and select the correct User

Create a Self-Signed Certificate

Certificates are actually composed of 2 pieces: a private key (often called just a key) and a public key (often called just a cert/certificate). For our purposes, the private key is used to “prove” that it is actually your code that is trying to login, and is the reason that passwords and security tokens are not required. For our purposes, the public key is used to verify that the correct (authorized) process is trying to access Salesforce.

For our example, we will use a Command Line Interface app called openssl to generate our certificate.

  1. Make sure you have openssl installed
  2. Open a Terminal / Command Prompt
  3. Issue the following command:
    openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:2048 -keyout mycoolcert.key -out mycoolcert.crt
    1. You will be prompted to provide some information. These are all optional, though it is not a bad idea to fill it out, especially since Salesforce will show the info when you look at the Connected App later on
    2. What this command does, is create a 100 year certificate with the Private Key being stored in the .key file, and the Public Key being stored in the .crt file. Both of these files are text files that you can view with any text editor.
    3. You will want to protect the .key file, as it is very uniquely created for YOU. This .key file will be used by your code as part of the authentication process.
    4. The .crt file will be used when creating the Connected App

Create the Connected App

A Salesforce Connected App is how you enable external code / systems access to use the Salesforce API.  

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to App Manager under Platform Tools > Apps, click on New Connected App
  3. Use the following values for Basic Information
    1. Connected App Name: Internal JWT Access to Pardot
    2. API Name: (let it auto populate, or make up your own name)
    3. Contact Email: use a company email address
    4. Description: Grants access to Pardot from our own custom written solutions
    5. When complete, the section should look like this:
  4. Use the following values for API (Enable OAuth Settings)
    1. Enable OAuth Settings: Checked
    2. Callback URL: https://login.salesforce.com/services/oauth2/callback
    3. Use digital signatures: Checked
    4. Browse: Use the certificate you created earlier
    5. Selected OAuth Scopes:
      1. pardot_api (allows you to actually call the Pardot API
      2. offline_access (allows your code to make API calls when it needs to)
    6. When complete, the section should look like this:
  5. Save the new Connected App, click Continue after observing the warning
  6. From the Saved Record screen, take special note of the Consumer Key, you will need to use it in your APEX

Pre Authorize User to use Pardot API

Regardless of how the Connected App was set up (above), we need to pre authorize the correct user to use the Pardot API.

  1. In Salesforce Lightning, Navigate to Setup
  2. Navigate to App Manager under Platform Tools > Apps, find the APEX Access to Pardot app, click the drop down menu and then Manage
  3. Click Edit Policies
  4. Under OAuth Policies > Permitted Users, change to: Admin approved users are pre-authorized, Save
  5. Back at the Connected App, new sections have appeared. In Permission Sets, click Manage Permission Sets
  6. Assign the Pardot API Access permission set

Sample Working Code

Here we aim to provide a few different samples of working code. Note: because these are samples, we are following some Minimal, Reproducible Example guidelines. These should help you understand how to incorporate the approach into your well-architected code projects.

Python Sample Code

This sample code was extended from a great GitHub Gist from booleangate. Save it locally as pythonExample.py

#!/usr/bin/env python3
# pip install jwt cryptography requests

from datetime import datetime
import jwt, time, requests

# *** Update these values to match your configuration ***
IS_SANDBOX = False
KEY_FILE = ‘mycoolcert.key’
ISSUER = ‘YOUR_OAUTH_CONSUMER_KEY’
SUBJECT = ‘YOUR_SALESFORCE_IDENTITY_USERNAME’
BUSINESS_UNIT_ID = ‘0Uv…..’
pardotUrl = ‘https://pi.demo.pardot.com/api/account/version/4/do/read?format=json&#8217;
# *******************************************************

DOMAIN = ‘test’ if IS_SANDBOX else ‘login’

print(‘Loading private key…’)
with open(KEY_FILE) as fd:
    private_key = fd.read()

print(‘Generating signed JWT assertion…’)
claim = {
    ‘iss’: ISSUER,
    ‘exp’: int(time.time()) + 604800,
    ‘aud’: ‘https://{}.salesforce.com’.format(DOMAIN),
    ‘sub’: SUBJECT,
}
assertion = jwt.encode(claim, private_key, algorithm=’RS256′, headers={‘alg’:’RS256′}).decode(‘utf8’)

#you could take the JWT and paste it in https://jwt.io to see what it ends up looking like
print(‘assertion=%s’ % assertion)
print(‘Making OAuth request…’)
loginResponse = requests.post(‘https://{}.salesforce.com/services/oauth2/token’.format(DOMAIN), data = {
    ‘grant_type’: ‘urn:ietf:params:oauth:grant-type:jwt-bearer’,
    ‘assertion’: assertion,
})

print(‘Status:’, loginResponse.status_code)
print(loginResponse.json())
accessToken = loginResponse.json().get(‘access_token’)

# Now for doing the Pardot Fun Stuff
pReqHeaders = {
    ‘Authorization’: ‘Bearer ‘+ accessToken,
    ‘Pardot-Business-Unit-Id’: BUSINESS_UNIT_ID
}

print(‘Making Pardot Account API request…’)
accountResponse = requests.get(url=pardotUrl, headers=pReqHeaders).json()
print(accountResponse)

Some tips to get this code working for you:

  1. Be sure to put the Private Key file from your self-signed certificate in the same directory as this code sample
  2. Be sure to replace the configuration values at the top of the script to match what you created
  3. Add print() statements where you want to further understand values that are being setup
  4. Make the code file executable, then just call it directly:  ./pythonExample.py and watch the output

Conclusion 

Following the above steps will get your code ready for SSO in preparation for the February 15th deadline. Have some additional insights? We would love for you to  share your experiences and tips as you work through getting your code ready for SSO. Stuck and need help – let us know and we would be glad to help audit your unique instance needs

CONTINUE READING:
Pardot API and Getting Ready with Salesforce SSO Users Series: 

The post Pardot API and Getting Ready with Salesforce SSO Users Part 3B: Connecting to Pardot API from Code appeared first on The Spot For Pardot.

By |2021-02-02T16:40:36+00:00February 2nd, 2021|Categories: Pardot SSO Update|