Setting up External Calendars
Before you synchronize events created for assignments and project task assignments (PTAs) with the external calendar, we recommend that you complete the initial setup.
To set up PSA to use Google as an external calendar you need to do the following:
- Ask your IT team to set up Google as the authentication provider. This is used to identify relevant users and manage their access.
- Generate Google credentials.
- Configure Google as an authentication provider.
Setting up Google as an Authentication Provider
- Browse to the Google Cloud Platform https://console.cloud.google.com/.
- Log in to the Google Cloud Platform using your email and password. If you are a first-time user select the Terms of Service check box and click AGREE AND CONTINUE.
- Contact your IT team to setup a new Google project. To create a new project, navigate to navigation menu and click IAM & Admin | Create a Project.
- Specify the following details:
- Enter the project name in the Project name field.
- Select the organization name to attach the project in the Organization drop-down.
- Browse the parent organization or folder in the Location field.
- Click CREATE. It directs you to the Dashboard.
- Select the newly created project from the Select a project drop-down on the top left-hand side next to the Navigation menu.
- Specify the following details:
- If you are an existing user and have an existing project, select it from the Select a project drop-down on the top left-hand side next to the Navigation menu. Contact your IT team to grant you the access to this project, to enable APIs.
- To enable the Google Calendar API in your project, open the Navigation menu and click APIs & Services | Enabled APIs & services. The APIs & Services page displays.
- Click +Enable APIs and Services. The API Library page opens.
- In the Search field, enter Calendar API and press Enter on the keyboard.
- Select Google Calendar API. Click Enable.The API/Service Details page displays.
After creating the project and enabling the API, you can now configure the OAuth consent page.
Configuring the OAuth Consent Page and Registering Your App in Google
- On the APIs & Services page, select the OAuth consent page from the navigation pane.
- Select the user type as either “Internal” or “External”.
- Internal: Select this user type if you are creating the app within your Google Workspace organization. In this case, there is no need to publish and verify the app.
- External: Select this user type if you are creating the app outside your Google Workspace organization. Depending on how you configure your OAuth screen, you must publish the app in production and submit it for verification.
- Click CREATE. The App information section opens.
- In the App information section:
- In the App name field, enter the name of your app asking for consent at the time of authorization. The app name can be similar to the Google project name for better usability.
- In the User support email field, enter an email where users can contact you regarding their consent. For example, your IT help desk email.
- [Optional] In the App logo field, upload a logo for your app.
- Under the App domain section, in the Authorised domains, click +ADD DOMAIN and enter force.com in Authorised domain 1 field. Again, click +ADD DOMAIN and enter salesforce.com in Authorised domain 2 field.
- In the Developer contact information section Email Addresses field, enter email addresses where Google can notify you about changes in your project.
- Click SAVE AND CONTINUE.
- To add the authorization scopes, click ADD OR REMOVE SCOPES.
- In the Update selected scopes window in the filter input field, select API and enter Google Calendar API.
- Scroll down and select the scope "./auth/calendar.events" with the user-facing description “View and edit events on all your Calendars”. This scope is the minimum requirement for this functionality to work.
- Click UPDATE.
- Click SAVE AND CONTINUE. The app registration summary is displayed.
- [Optional] To make changes to the app registration, click EDIT.
You have authenticated and registered your app. You must now create credentials to access your enabled APIs.
Generating Google Credentials: Client ID and Client Secret
- On the APIs & Services page, select "Credentials" from the navigation pane on the left side.
- Click + CREATE CREDENTIALS and select "OAuth client ID".
- On the Create OAuth client ID page, in the Application type drop-down list, select "Web application".
- In the Name field, enter a name for the web client.
- Leave the Authorized redirect URls blank to copy the Callback URL generated from the Authorization Provider Setup at the Salesforce end.
- Click CREATE. The Client ID and Client Secret is created.
- Copy "Your Client ID" and "Your Client Secret" from the OAuth client created popup window for setting up the Auth. Provider in Salesforce and click OK.
After completing the Google setup and generating the Client ID and Client Secret, you must set up Google as an authentication provider in your Salesforce org.
Configuring Google as an Authentication Provider
You can configure Google as an authentication provider in your Salesforce org from the Auth. Providers Setup page.
- From Setup, in the Quick Find field, enter Auth. Providers, select "Auth. Providers", and click New.
- In the Provider Type drop-down, select "Google". After the selection, the auth. provider fields are displayed.
- Enter the details in the following fields and leave all other fields blank:
- In the Name field, enter a name for the authentication provider.
- The URL Suffix field populates automatically as soon as we complete the Name field.
- In the Consumer Key field, paste the Google Client ID copied in step 7 of Generate Google Credentials: Client ID and Client Secret section.
- Similarly, in the Consumer Secret field, paste the Google Client Secret created in step 7 of Generate Google Credentials: Client ID and Client Secret section.
- In the Authorize Endpoint URL field, enter the following URL: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force
- In the Token Endpoint URL field, enter the following URL: https://accounts.google.com/o/oauth2/token
- In Default Scopes, enter the following scopes separated by a space:
- openid
- https://www.googleapis.com/auth/calendar.events
- Click Save.
- Copy the Callback URL generated under the Salesforce Configuration section.
- Navigate to Google setup, in the Navigation menu, click APIs & Services | Credentials.
- On the Credentials page, under OAuth 2.0 Client IDs, click the Edit OAuth client icon.
- Scroll down to the Authorised redirect URIs section, click +ADD URI and paste the Callback URL in the URIs 1 field.
- Click SAVE.
- Navigate to your Salesforce org Auth Provider, which you have created in steps 1 to 4. Use the Test-Only Initialization URL to test the connection. It redirects you to the Google Account login page. Select the account and click Allow to view and edit events on all your calendars.
For example, openid https://www.googleapis.com/auth/calendar.events
After a successful connection, you will receive a success response similar to the one below:
Generating Named Credentials
A named credential specifies the URL of a callout endpoint and is used for authentication. In Salesforce, we use an external credential to create a named credential.
The following table shows the differences between the options in the Named Credential Identity Type drop-down list. Before setting up these identity types, discuss their implications with your security and IT teams.
Setup | Named Principal | Per User Principal |
---|---|---|
Authentication |
One user authenticates the whole org. |
Each relevant user must authenticate their calendar to be able to push PTAs, and assignments from PSA to a contact's calendar. |
Permissions |
To access a contact's calendar, the authorized user must be assigned a permission set group or permission set that gives access to the external credential. |
To access a contact's calendar. each relevant user must be assigned a permission set group or permission set that gives access to the external credential. |
External calendar access |
The authorized user must have sharing access and be able to make changes to events on a contact's calendar to be able to push PTAs and assignments from PSA to the calendar. Without this access, only records assigned to the authorized user by the authorized user are pushed to the contact's calendar. |
Each relevant user must have sharing access and be able to make changes to events on a contact's calendar to be able to push PTAs, and assignments from PSA to the calendar. Without this access, the user can only push self-assigned events to a contact's calendar. |
Implications for PTAs and assignments |
In the contact's calendar, all the events appear to have been generated by the same email account. Because of this, we recommend that you have a CertiniaPSA and Salesforce licenses, and create a system user, such as psasystem@xyz.com. |
The user that is assigning the PTAs, and assignments in PSA is the user that is creating the events in the contact's calendar. |
Creating External Credentials and Named Credentials
To create a named credential using the New Named Credential page, you must create an external credential. External credentials specify an authentication protocol and permission set groups, permission sets, or profiles to use when authenticating to an external system.
-
Create External Credential
To create an external credential:
- From Setup, enter Named Credentials in the Quick Find field, and then select "Named Credentials". The Named Credential page opens.
- Click External Credentials | New. The New External Credential window opens.
- In the Label field, enter a name for the external credential.
- In the Name field, enter a unique name containing underscores to refer to the external credential.
- In the Authentication Protocol, select "OAuth 2.0".
- In the Authentication flow type, select "Browser Flow".
- In the Authentication Provider drop-down list, select the authentication provider name.
- Leave the Scope field blank if you have defined it in the specified authentication provider. If you haven't defined it, enter the scope.
- Click Save. The Named Credentials page opens.
- Scroll down to the Principals section and click New.
- Select a parameter name and an identity type.
- Enter a sequence number. A sequence number specifies the order of principals to apply when there is more than one principal.
- In Permission Set Overview | External Credential Principal Access, add the external principal you have just generated to a permission set group or permission set. You must assign this permission set group or permission set to all relevant users.
- Click Save.
-
Create Named Credential
To create a named credential and link it to the external credential:
- From Setup, enter Named Credentials in the Quick Find field, and then select "Named Credentials".
- Click the Named Credentials tab.
- To create a named credential, click New. The New Named Credential window opens.
- In the Label field, enter a name for the named credential. For example, named credential google.
- In the Name field, enter a unique name containing underscores to refer to the named credential. You can use the same name specified in the Label field. For example, named_credential_google.
- In the URL field, enter https://www.googleapis.com.
- In the External Credential drop-down list, select the name of the external credential.
- Ensure that Generate Authorization Header is selected under Callout Options.
- Under the Managed Package Access section, in the Allowed Namespace field enter pse.
- Leave the rest of the fields as they are and click Save.
-
Authenticate an External Credential for the Named Principal Identity Type
To authenticate an external credential for the Named Principal identity type
- Click the External Credentials tab, and then click the external credential name to open the External credential page.
- Navigate to the Principals section.
- Under Actions, select "Authenticate".
-
Authenticate an External Credential for the Per User Principal Identity Type
When authenticating external credentials using the Per User Principal identity type, you must add access to it using a permission set group or permission set:
- Navigate to an existing permission set group or permission set, or create a new one.
- Under External Credential Principal Access, add the per user principal that you have created.
- Add Read access to the Salesforce object User External Credentials in the permission set.
- Assign this permission set group or permission set to the relevant users or profiles.
Also ensure that the relevant users follow the steps for Per User Principal authentication:
- In the upper right-hand corner, click the profile icon.
- Click Settings.
- In the Quick Find field, enter External Credential.
- To authenticate the external credential, in the external credential card, click Allow Access.
- The authentication flow starts. For example, enter a username and password and click Allow on the consent screen.
- The external credential is now authenticated, and the external credential card displays a green tick.
- [Optional] To revoke authentication on the external credential, click Revoke Access.
When the authentication is done, you must copy the named credential API name and follow the steps in Setting up External Calendars to enable your users to use this functionality.
To set up PSA to use Microsoft Outlook as an external calendar you need to do the following:
- Ask your IT team to set up Microsoft Outlook as the authentication provider. This is used to identify relevant users and manage their access.
- Generate Microsoft credentials.
- Configure Microsoft as an external calendar service provider.
Registering an Application in Microsoft Entra Admin Center and Generate Outlook Credentials: Client ID and Client Secret
Registering Your Application and Generating a Client ID
To register your application, you must have Office 365 subscription and access to the Microsoft Entra admin center.
- Browse to the Microsoft Entra admin center using https://entra.microsoft.com/.
- Sign in using your developer account Administrator email ID. For example, synctest123@1mwhz4.onmicrosoft.com. The Overview page opens.
- In the navigation pane, under Identity, expand Applications and click App registrations. The App registrations page opens.
- Click +New registration. The Register an application page opens.
- Register your app:
- In the Name field, enter a name for your application. For example, Calendar Test.
- Under the Supported account types who can use this application, select the "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" option.
- Leave the Redirect URI blank.
- Click Register. The registered application page opens. The Essentials section displays Application (client) ID and Redirect URIs. Copy the Application (client) ID for Configuring Microsoft as an Authentication Provider
- In the navigation pane on this page click API permissions. The API permissions page opens, from where you add the calendar read and write permissions to the app.
- Under Configured permissions, click +Add a permission. The Request API permissions page opens.
- Under Microsoft APIs, click Microsoft Graph.
- Select "Delegated permissions". The permissions are displayed under the Select permissions section:
- Under OpenId permissions, select:
- offline access
- openid
- Scroll down to the Calendars section and select:
- Calendars.ReadWrite
- Calendars.ReadWrite.Shared
- Click Add permissions. The permissions are now updated for your application. You can see the permissions listed under the Configured permissions section on the API permissions page.
- Under OpenId permissions, select:
Generating a Client Secret Credential
To generate a client secret credential:
- On the API permissions page, in the navigation pane under Manage, click Certificates & secrets. The Certificates & secrets page opens.
- Click +New client secret. The Add a client secret window opens.
- [Optional] In the Description field, enter a description.
- In the Expires field, select an expiry date for the client secret.
- Click Add. The client secret is generated.
- Copy the secret's value from the Value column for use in your client application code. This secret value is never displayed again after you leave this page, ensure that you must copy and save the secret’s value.
After successfully completing the app registration and generating the Application (client) ID and Client Secret, you need to set up Microsoft as an authentication provider in your Salesforce org.
Configuring Microsoft as an Authentication Provider
You can configure Microsoft as an authentication provider in your Salesforce org from the Auth. Providers Setup page.
- From Setup, in the Quick Find field, enter Auth. Providers, select "Auth. Providers" and click New.
- In the Provider Type drop-down, select "Microsoft". After the selection, the auth. provider fields are displayed.
- Enter the details in the following fields and leave all other fields blank:
- In the Name field, enter a name for the authentication provider.
- The URL Suffix field populates automatically as soon as we complete the Name field.
- In Consumer Key field, paste the Application (client) ID copied in step 9 of Setting up External Calendars section.
- In the Consumer Secret field, paste the Client Secret value copied in step 2d Setting up External Calendars in the Setting up External Calendars section.
- In the Authorize Endpoint URL field, enter the following URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=consent
- In the Token Endpoint URL field, enter the following URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
- In Default Scopes, enter the following scopes separated by a space:
- openid
- offline_access
- Calendars.ReadWrite
- Calendars.ReadWrite.Shared
- Click Save.
- Copy the Callback URL generated under the Salesforce Configuration section.
- Navigate to the Azure portal, on the Overview page, select "App registration" in the Azure Active Directory Menu on the left-hand side.
- On the App registrations page, under Owned applications tab, click the registered application link.
- On the registered application page, under the Essentials section, click Add a Redirect URI link.
- On the Authentication page, under Platform configurations, click +Add a platform. Configure platform window opens.
- In the Configure platform window, under Web applications, select "Web" card.
- In the Configure Web window, under Redirect URIs, in the redirect URI field, paste the Callback URL.
- Click Configure.
- Navigate to your Salesforce org Auth Provider and use the Test-Only Initialization URL under the Salesforce Configuration section to test the connection. It redirects you to the Microsoft Account login page. Select the account and click Allow to view and edit events on all your calendars.
For example, openid offline_access Calendars.ReadWrite Calendars.ReadWrite.Shared
After a successful connection, you will receive a success response similar to the one below:
Generating Named Credentials
A named credential specifies the URL of a callout endpoint and is used for authentication. In Salesforce, we use an external credential to create a named credential.
The following table shows the differences between the options in the Named Credential Identity Type drop-down list. Before setting up these identity types, discuss their implications with your security and IT teams.
Setup | Named Principal | Per User Principal |
---|---|---|
Authentication |
One user authenticates the whole org. |
Each relevant user must authenticate their calendar to be able to push PTAs, and assignments from PSA to a contact's calendar. |
Permissions |
To access a contact's calendar, the authorized user must be assigned a permission set group or permission set that gives access to the external credential. |
To access a contact's calendar. each relevant user must be assigned a permission set group or permission set that gives access to the external credential. |
External calendar access |
The authorized user must have sharing access and be able to make changes to events on a contact's calendar to be able to push PTAs and assignments from PSA to the calendar. Without this access, only records assigned to the authorized user by the authorized user are pushed to the contact's calendar. |
Each relevant user must have sharing access and be able to make changes to events on a contact's calendar to be able to push PTAs, and assignments from PSA to the calendar. Without this access, the user can only push self-assigned events to a contact's calendar. |
Implications for PTAs and assignments |
In the contact's calendar, all the events appear to have been generated by the same email account. Because of this, we recommend that you have a CertiniaPSA and Salesforce licenses, and create a system user, such as psasystem@xyz.com. |
The user that is assigning the PTAs, and assignments in PSA is the user that is creating the events in the contact's calendar. |
Creating External Credentials and Named Credentials
To create a named credential using the new Named Credential setup page, you must create an external credential. External credentials specify an authentication protocol and permission set groups, permission sets or profiles to use when authenticating to an external system.
-
Create External Credential
To create an external credential:
- From Setup, enter Named Credentials in the Quick Find field, and then select "Named Credentials". The Named Credential page opens.
- Click External Credentials | New. The New External Credential window opens.
- In the Label field, enter a name for the external credential.
- In the Name field, enter a unique name containing underscores to refer to the external credential.
- In the Authentication Protocol, select "OAuth 2.0".
- In the Authentication flow type, select "Browser Flow".
- In the Authentication Provider drop-down list, select the authentication provider name.
- Leave the Scope field blank if you have defined it in the specified authentication provider. If you haven't defined it, enter the scope.
- Click Save. The Named Credentials page opens.
- Scroll down to the Principals section and click New.
- Select a parameter name and an identity type.
- Enter a sequence number. A sequence number specifies the order of principals to apply when there is more than one principal.
- In Permission Set Overview | External Credential Principal Access, add the external principal you have just generated to a permission set group or permission set. You must assign this permission set group or permission set to all relevant users.
- Click Save.
-
Create Named Credential
To create a named credential and link it to the external credential:
- From Setup, enter Named Credentials in the Quick Find field, then select "Named Credentials".
- Click the Named Credentials tab.
- To create a named credential, click New. The New Named Credential window opens.
- In the Label field, enter a name for the named credential. For example, named credential outlook.
- In the Name field, enter a unique name containing underscores to refer to the named credential. You can use the same name specified in the Label field. For example, named_credential_outlook.
- In the URL field, enter https://graph.microsoft.com.
- In the External Credential drop-down list, select the name of the external credential.
- Ensure that Generate Authorization Header is selected under the Callout Options.
- Under the Managed Package Access section, in the Allowed Namespace field enter pse.
- Leave the rest of the fields as they are and click Save.
-
Authenticating an External Credential for the Named Principal Identity Type
To authenticate an external credential for the Named Principal identity type
- Open the External Credentials tab, and now click the external credential name to open the external credential page.
- Navigate to the Principals section.
- Under Actions, select "Authenticate".
-
Authenticate an External Credential for the Per User Principal Identity Type
When authenticating external credentials using the Per User Principal identity type, you must add access to it using a permission set group or permission set:
- Navigate to an existing permission set group or permission set, or create a new one.
- Under External Credential Principal Access, add the per user principal that you have created.
- Add Read access to the Salesforce object User External Credentials in the permission set.
- Assign this permission set group or permission set to the relevant users or profiles.
Also ensure that the relevant users follow the steps for Per User Principal authentication:
- In the upper right corner, click the profile button.
- Click Settings.
- In the Quick Find field, enter External Credential.
- To authenticate the external credential, in the external credential card, click Allow Access.
- The authentication flow starts. For example, enter a username and password and click Allow on the consent window.
- The external credential is now authenticated, and the external credential card displays a green tick.
- [Optional] To revoke authentication on the external credential, click Revoke Access.
When the authentication is done, you must copy the named credential API name and follow the steps in Setting up External Calendars to enable your users to use this functionality.
Enable Custom Settings
To control and customize this functionality, you can use the External Calendar Events Settings custom setting. For more information, see External Calendars Integration with PSA Settings.
The following custom setting fields are mandatory for this functionality to work:
- Named Credential for Google
- Named Credential for Outlook
- Sync PTA with External Calendar
- Sync Assignment with External Calendar
Cleanup Queue Events
To delete Integration Core Queue Events from the org that were created during the calendar integration process:
- From Setup, click Custom Code | Apex Classes.
- Click Schedule Apex.
- Enter a job name.
- For Apex Class, select CE_IhccQueueEventsCleanupSchedulable .
- Define the frequency, start and end dates, and the preferred start time. For more information on the available options, see the Salesforce Help.
- Click Save.