Salesforce Data Sources

Salesforce data sources use a built-in Teiid specific JCA connector. There are three versions of the salesforce resource adapter - salesforce, which currently provides connectivity to the 34.0 Salesforce API, salesforce-34, which provides connectivity to the 34.0 Salesforce API, and salesforce-41 which actually provides access to 37.0 through at least 45.0. The version 22.0 support has been removed.

If you need connectivity to an API version other than what is built in, you may try to use an existing connectivity pair, but in some circumstances - especially accessing a later remote api from an older java api - this is not possible and results in what appears to be hung connections. Please raise an issue if you cannot successfully access a specific API version.

There are many ways to create the salesforce data source, using CLI,AdminAPI, admin-console etc. The example shown below uses the CLI tool, as this works in both Standalone and Domain modes.

Execute following command using the CLI once you connected to the Server. Make sure you provide the correct URL and user credentials. Add any additional properties required by the connector by duplicating the "connection-definitions" command below. Edit the JNDI name to match the JNDI name you used in VDB.

/subsystem=resource-adapters/resource-adapter=salesforce/connection-definitions=sfDS:add(jndi-name=java:/sfDS, class-name=org.teiid.resource.adapter.salesforce.SalesForceManagedConnectionFactory, enabled=true, use-java-context=true)

The salesforce-xx connection definition configuration is similar to the above. The resource adapter name would instead be salesforce-xx, and the url would point to a later version. It is recommended to set the url explicitly. If you use just the salesforce resource adapter without setting the url, then later versions of Teiid can use a different default once the resource adapter moves to a different version. The -34 resource adapter defaults to, and the -41 resource adapter defaults to

that if you access a newer Salesforce API version than the resource adapter supports, you will receive low level metadata parsing exceptions - you can either access an older API or log an issue to have updated support.

To find out all the properties that are supported by this Salesforce Connector execute the following command in the CLI.


The resource adapter by default uses the Salesforce library for the http transport. Usage of the ConfigFile property allows you to pass in a CXF configuration and instead use the CXF library. If you do so the other properties, such as the requestTimeout or connectTimeout, are still applicable but may also be specified directly in the CXF config.

Developer’s Tip - If WildFly 19.1.0 is running in standalone mode, you can also manually edit the "<jboss-install>/standalone/configuration/standalone-teiid.xml" file and add the XML configuration defined in *"<jboss-install>/docs/teiid/datasources/salesforce" directory under "resource-adapters" subsystem. Shutdown the server before you edit this file, and restart after the modifications are done.

Mutual Authentication

If you need to connect to Salesforce using Mutual Authentication, follow the directions to setup Salesforce at then configure the below CXF configuration file on the resource-adapter by adding following property to above cli script

<beans xmlns=""

    <http-conf:conduit name="*.http-conduit">
        <http-conf:client ConnectionTimeout="120000" ReceiveTimeout="240000"/>
        <http-conf:tlsClientParameters secureSocketProtocol="SSL">
            <sec:keyStore type="JKS" password="changeit" file="/path/to/truststore.jks"/>

OAuth Security with "Refresh Token"

The below layout the directions to use Refresh Token based OAuth Authentication with Salesforce.

1) create connected app (may need to setup custom domain) 2) add profile and/or permissions set to the connected app 3) grab the "callback url" ( one need to set as https://localhost:443/_callback" 4) Run through the in "<eap>/bin" directory, use client_id, client_pass, and call back from connected app 5) use "" authorize link 6) use "" for access token url 7) the you get a refresh token from it 8) create a security-domain by executing CLI

/subsystem=security/security-domain=oauth2-security/authentication=classic/login-module=Kerberos:add(code=org.teiid.jboss.oauth.OAuth20LoginModule, flag=required,,
   module-options=[client-id=xxxx, client-secret=xxxx, refresh-token=xxxx,

this will generate following XML in the standalone.xml or domain.xml (this can also be directly added to the standalone.xml or domain.xml files instead of executing the CLI)

<security-domain name="oauth2-security">
        <login-module code="org.teiid.jboss.oauth.OAuth20LoginModule" flag="required" module="">
            <module-option name="client-id" value="xxxx"/>
            <module-option name="client-secret" value="xxxx"/>
            <module-option name="refresh-token" value="xxxx"/>
            <module-option name="access-token-uri" value=""/>

9) Then to use the above security domain in the sales force data source configuration, add "<security-domain>oauth2-security</security-domain>"

OAuth Security with "JWT Token" based Steps

The below layout the directions to use JWT token based OAuth Authentication with Salesforce.

1) Create a Self-Signed certificate locally or on Sales Force. (user→setup→security-controls→Certificate and Key Management) 2) Download the certificate and also put in keystore and download keystore. Keystore is needed for Teiid, certificate for the salesforce setup 3) Create connected app and select OAuth, and select all the scopes (some posts say refresh-token offline is must) 4) create a profile and/or permission set assign to the connected app. I believe before you can create a connected app you need to set up custom domain 5) When you creating connected app make sure you add the certificate in "Digital Certificate" 6) Now in Teiid create security-domain by executing CLI

/subsystem=security/security-domain=oauth2-jwt-security/authentication=classic/login-module=oauth:add(code=org.teiid.jboss.oauth.OAuth20LoginModule, flag=required,,
   module-options=[client-id=xxxx, client-secret=xxxx, access-token-uri=, jwt-audience=,,
    keystore-type=JKS, keystore-password=changeme, keystore-url=${jboss.server.config.dir}/salesforce.jks, certificate-alias=teiidtest, signature-algorithm-name=SHA256withRSA])

this will generate following XML in the standalone.xml or domain.xml (this can also be directly added to the standalone.xml or domain.xml files instead of executing the CLI)

<security-domain name="oauth2-jwt-security">
        <login-module code="org.teiid.jboss.oauth.JWTBearerTokenLoginModule" flag="required" module="">
            <module-option name="client-id" value="xxxxx"/>
            <module-option name="client-secret" value="xxxx"/>
            <module-option name="access-token-uri" value=""/>
            <module-option name="jwt-audience" value=""/>
            <module-option name="jwt-subject" value=""/>

            <module-option name="keystore-type" value="JKS"/>
            <module-option name="keystore-password" value="changeme"/>
            <module-option name="keystore-url" value="${jboss.server.config.dir}/salesforce.jks"/>
            <module-option name="certificate-alias" value="teiidtest"/>
            <module-option name="signature-algorithm-name" value="SHA256withRSA"/>

7) Then to use the above security domain in the sales force data source configuration, add "<security-domain>oauth2-jwt-security</security-domain>"

More helpful links


Logging, when enabled, will be performed at an INFO level to the org.apache.cxf.interceptor context.

Per Resource Adapter

The CXF config property may also be used to control the logging of requests and responses.

Example logging data source
<resource-adapter id="salesforce-ds">
    <module slot="main" id="org.jboss.teiid.resource-adapter.salesforce-34"/>
        <connection-definition class-name="org.teiid.resource.adapter.salesforce.SalesForceManagedConnectionFactory" jndi-name="java:/salesforce_bulk_api" enabled="true" use-java-context="true" pool-name="salesforce-ds">
            <config-property name="password">
            <config-property name="URL">
            <config-property name="username">
            <config-property name="ConfigFile">

Corresponding cxf.xml

Example logging data source
<beans xmlns=""

    <bean id="loggingFeature" class="org.apache.cxf.feature.LoggingFeature"/>
            <ref bean="loggingFeature"/>

All CXF Usage

With the WildFly distribution of CXF a system property can be used to enable CXF logging across all usage in the application server - see the WildFly docs.

Example System Property
  <property name="org.apache.cxf.logging.enabled" value="true"/>

results matching ""

    No results matching ""