Setting up the External Calendars

Before you synchronize events created for assignments and project task assignments with the external calendar, it is recommended that you complete the initial setup.

An authentication provider, a named credential, and an external calendar service provider app like Google are required to set up Google Calendar within PSA. Salesforce provides Google as a predefined authentication provider to identify the users and manage access.

Contact your IT team to setup Google as an authentication provider.

Configure Google as an authentication provider

  1. Browse to the Google Cloud Platform https://console.cloud.google.com/.
  2. Log in to the Google Cloud Platform using your email and password. If you are a first time user select the Terms of Service check box and click AGREE AND CONTINUE.
  3. Contact your IT team to setup a new Google project. To create a new project, navigate to navigation menu and click IAM & Admin| Create a Project.
    1. Specify the following details:
      1. Enter the project name in the Project name field.
      2. Select the organization name to attach the project in the Organization drop-down.
      3. Browse the parent organization or folder in the Location field.
    2. Click CREATE. It directs you to the Dashboard.
    3. Select the newly created project from the Select a project drop-down on the top left-hand side next to the Navigation menu.
  1. If you are an existing user and have an existing project, select it from the Select a project drop-down on the top left-hand side next to the Navigation menu. Contact your IT team to grant you the access to this project, to enable APIs.
  2. To enable the Google Calendar API in your project, open the Navigation menu and click APIs & Services| Enabled APIs & services. The APIs & Services page displays.
  3. Click +Enable APIS and Services. The API Library page displays.
  4. In the Search field, type “Calendar API” and press Enter on the keyboard.
  5. Select Google Calendar API. Click Enable.The API/Service Details page displays.

After creating the project and enabling the API, you can now configure the OAuth consent screen, follow the steps from Configuring the OAuth consent screen & registering your app in Google section.

Configuring the OAuth consent screen & registering your app in Google

  1. On the APIs & Services page, select the OAuth consent screen from the navigation pane on the left-hand side.
  2. Select the User Type as either “Internal” or “External”.
    1. Internal: select the user type as “Internal” if you are creating the app within the organization. In this case, there is no need to publish and verify the app.
    2. External: if you are creating an app outside of your Google Workspace organization then select the User Type as “External”. Depending on how you configure your OAuth screen, you need to publish the app in production and submit it for verification.
  3. Click CREATE. The App information section displays.
  4. In the App information section:
    1. In the App name field, enter the name of your app asking for consent at the time of authorization. You can keep the App name can be similar to the Google project name for better usability.
    2. In the User support email field, enter an email where users can contact you regarding their consent. For example, your IT help desk email.
    3. [Optional] In the App logo field, upload a logo for your app.
  1. Under the App domain section, in the Authorised domains, click +ADD DOMAIN and enter force.com in Authorised domain 1 field. Again, click +ADD DOMAIN and enter salesforce.com in Authorised domain 2 field.
  2. In the Developer contact information section Email Addresses field, enter email addresses where Google can notify you about changes in your project.
  3. Click SAVE AND CONTINUE.
  1. To add the authorization scopes, click ADD OR REMOVE SCOPES.
    1. In the Update selected scopes window in the filter input field, select API and enter Google Calendar API.
    2. Scroll down and select the scope with the user-facing description as “View and edit events on all your Calendars”. You can select others scopes as well but this scope is the minimum requirement for this functionality to work.
    3. Click UPDATE.
    4. Click SAVE AND CONTINUE. The app registration summary is displayed.
  2. [Optional] To make changes to the app registration, click EDIT.

You have now successfully authenticated and registered your app. Now create credentials to access your enabled APIs. Follow the steps in Generate Google Credentials: Client ID and Client Secret section.

Generate Google Credentials: Client ID and Client Secret

  1. On the APIs & Services page, select the Credentials from the navigation pane on the left-hand side.
  2. Click + CREATE CREDENTIALS and select OAuth client ID.
  3. On the Create OAuth client ID page, in the Application type drop-down select "Web application".
  4. In the Name field, enter a name for the web client.
  5. Leave the Authorised redirect URls blank to copy the Callback URL generated from the Authorization Provider Setup at the Salesforce end.
  6. Click CREATE. The Client ID and Client Secret is created.
  7. Copy "Your Client ID" and "Your Client Secret" from the OAuth client created popup window for setting up the Auth. Provider in Salesforce and click OK.

After successfully completing the Google setup and generating the Client ID and Client Secret, you need to set up Google as an authentication provider in your Salesforce org.

Authentication Provider Setup

You can configure Google as an authentication provider in your Salesforce org from the Auth. Providers Setup page.

  1. From Setup, in the Quick Find box, enter Auth. Providers, select Auth. Providers and click New.
  2. In the Provider Type drop-down, select "Google". After the selection, the auth. provider fields are displayed.
  3. Enter the details in the following fields and leave all other fields blank:
    1. In the Name field, enter a name for the authentication provider.
    2. The URL Suffix field populates automatically as soon as we complete the Name field.
    3. In the Consumer Key field, paste the Google Client ID copied in Step 7 of Generate Google Credentials: Client ID and Client Secret section.
    4. Similarly, in the Consumer Secret field, paste the Google Client Secret created in Step 7 of Generate Google Credentials: Client ID and Client Secret section.
    5. In the Authorize Endpoint URL field, enter the following URL: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force
    6. In the Token Endpoint URL field, enter the following URL: https://accounts.google.com/o/oauth2/token
    7. In Default Scopes, enter the following scopes separated by a space:
      1. openid
      2. https://www.googleapis.com/auth/calendar.events

    4. For example, openid https://www.googleapis.com/auth/calendar.events

  4. Click Save.
  5. Copy the Callback URL generated under the Salesforce Configuration section.
  6. Navigate to Google setup, in the Navigation menu, click APIs & Services| Credentials.
  7. On the Credentials page, under OAuth 2.0 Client IDs, click the Edit OAuth client icon.
  8. Scroll down to the Authorised redirect URIs section, click +ADD URI and paste the Callback URL in the URIs 1 field.
  9. Click SAVE.
  10. Navigate to your Salesforce org Auth Provider, which you have created in Step 1 to Step 4 . Use the Test-Only Initialization URL to test the connection. It redirects you to the Google Account login page. Select the account and click Allow to view and edit events on all your calendars.

 After a successful connection, you will receive a success response similar to the one below:

Generating Named Credentials

A named credential specifies the URL of a callout endpoint and is used for authentication. We have two ways to create a named credential in Salesforce, Named Credential using external credential and New Legacy.

Tips:
  • It is recommended that you use New Named Credentials to create a named credential.
  • It is recommended to select the Identity Type as “Named Principal” while creating a named credential.
  • The email address used to authenticate the named credential when the Identity Type is selected as “Named Principal”, must have the resource’s calendar access with the Make changes to Events permission.
  • You must give the read permission for the User External Credentials object through a permission set or profile to the users when using the New Named Credential.

    • Creating named credential using new Named Credential setup page

    To create a named credential using the new Named Credential setup page, you must create an external credential. External credentials specify an authentication protocol and permission sets or profiles to use when authenticating to an external system.

    1. Follow these steps to create an external credential:

      1. From Setup, enter “Named Credentials” in the Quick Find box, then select Named Credentials.
      2. Click External Credentials| New. A New External Credential window opens.
      3. In the Label field, enter a name for the external credential.
      4. In the Name field, enter a unique name containing underscores to refer to the external credential.
      5. In the Authentication Protocol, select OAuth 2.0.
      6. In the Authentication Provider drop-down, select the authentication provider name.
      7. Leave the Scope blank if you have defined it in the specified authentication provider else enter the Scope.
      8. Click Save. The Named Credentials page opens up.
      9. Scroll down to the Permission Set Mappings section, and click New. The Create Permission Set Mapping window opens.
      10. To create a permission set mapping for this external credential, select a permission set from the Permission Set list.
      Note:
      The permission set selected for mapping must be assigned to the user to authenticate the external credential.
      1. In the Sequence Number field, enter a sequence number. A sequence number specifies the order of principals to apply when a user participates in more than one principal.
      2. Select one of the following from the Identity Type:
        1. Named Principal: to apply the same credential or authentication configuration for the entire org.
        2. Per User Principal: to provide authentication configuration at an individual user level.
      3. Click Save.

    2. The external credential is created and now to create a named credential and link it to the external credential perform the following steps:

      1. From Setup, enter “Named Credentials” in the Quick Find box, then select Named Credentials.
      2. Click the Named Credentials tab.
      3. To create a named credential, click New. The New Named Credential window opens.
      4. In the Label field, enter a name for the named credential. For example, named credential google.
      5. In the Name field, enter a unique name containing underscores to refer to the named credential . You can use the same name specified in the Label field. For example, named_credential_google.
      6. In the URL field, enter https://www.googleapis.com.
      7. In the External Credential drop-down, select the name of the external credential.
      8. Ensure that Generate Authorization Header is selected under the Callout Options.
      9. Under the Managed Package Access section, in the Allowed Namespace field enter ”pse”.
      10. Leave the rest of the fields as they are and click Save.
      1. Open the External Credentials tab, and now click the external credential name to open the external credential page.
      2. Navigate to Permission Set Mappings.
      3. Under Actions, select "Authenticate".

    4. When authenticating external credential using Per User Principal, the user must be added to the correct permission set for this external credential.

      Ensure that the users must follow the steps for per-user authentication:

      1. In the upper right-hand corner, click the profile icon.
      2. Click Settings.
      3. In the Quick Find box, enter “External Credential”.
      4. To authenticate the external credential, in the external credential card, click Allow Access.
      5. The authentication flow starts. For example, enter a username and password and click Allow on the consent screen.
      6. The external credential is now authenticated and the external credential card shows “Authenticated.”
      7. [Optional] To revoke authentication on the external credential, click Revoke Access.

    Creating named credential using New Legacy setup page

    To generate the named credential using Legacy, follow these steps:

    1. From Setup, in the Quick Find box, enter Named Credentials.
    2. Select Named Credentials, and click New Legacy.
    3. In the Label field, enter a label. The Name field auto-populates as soon as you specify the label.
    4. In the URL field, enter https://www.googleapis.com.
    5. Select one of the following: 
        1. Set Authentication Protocol as OAuth 2.0.
        2. For the Authentication Provider, click the lookup and select the Auth. Provider that was created earlier from the Search Results on the lookup.
        3. In the Scope field, enter the scope to override the scope provided in Auth. Provider. If left blank the Scope field picks the Scope from the Auth. Provider.
        4. Select the Start Authentication Flow on Save checkbox.
        5. Leave the Callout Options as they are.
        6. Click Save. The Named Credential is created.You are now redirected to Google sign in.
        7. Select the account you want to choose and click Allow view and edit events on all your calendars on the consent screen.
        1. Set Authentication Protocol as OAuth 2.0.
        2. For the Authentication Provider, click the lookup and select auth. provider that was created earlier from the Search Results on the lookup.
        3. In the Scope field, enter the scope to override the scope provided in Auth. Provider. If left blank the Scope field picks the scope from the Auth. Provider.
        4. Deselect the Start Authentication Flow on Save checkbox, as it is a Per User authentication.
        5. Leave the Callout Options as they are.
        6. Click Save. The Named Credential is created.

        You need to create a new permission set or edit an existing one for the users to access this Named Credential.

        1. In the newly created permission set, select Named Credential Access.
        2. Click Edit.
        3. Click Add to add the Named Credential from the Available Named Credentials section to Enabled Named Credentials section.
        4. Click Save.

        You can now assign the permission set to the users to whom you want to give access to the named credential.

    Ensure that the users must follow the steps for per-user authentication:

    1. In the upper right-hand corner, click the profile icon.
    2. Click Settings.
    3. Navigate to Authentication Settings for External Systems under My Personal Information.
    4. On Authentication Settings for External Systems, click New.
    5. In the External System Definition field Named Credential is already populated, if not select Named Credential.
    6. Similarly, the named credential created for Google calendar is already populated in the Named Credential field.
    7. In the User drop-down, select the user.
    8. The Authentication Protocol field is pre-populated with OAuth 2.0.
    9. To start the authentication flow, select the Start Authentication Flow on Save checkbox.
    10. Click Save. You are now redirected to Google sign in.
    11. Select the account you want to choose and click Allow view and edit events on all your calendars on the consent screen.
    Note:
    If you have access to more than one named credential, select the named credential created for Google calendar authentication from the Named Credential drop-down.
    Note:
    The users are not required to perform any authentication steps when the Identity Type is selected as Named Principal.

    Once the authentication is done, you must copy the named credential API name and follow the steps in Enable Custom Settings section for the users to use this functionality.

    Enable Custom Settings

    In order to control and customize this functionality, you can use the External Calendar Events Settings custom setting. For more information, see External Calendars Integration with PSA Settings.

    The following custom setting fields are mandatory for this functionality to work:

    • Named Credential for Google
    • Sync PTA with External Calendar
    • Sync Assignment with External Calendar
    Note: Ensure that the correct API name of the named credential is in the Named Credential for Google custom setting field.