Workstation – Salesforce Knowledge Integration

Last Updated January 11, 2023

Integration Overview

We currently have an integration with Salesforce, for searching in Salesforce objects such as Leads, Accounts, Cases and more.

Read about the the Salesforce integration setup and the app capablities.

In this Salesforce Knowledge integration, which is being managed separately from the Salesforce one, we are adding search capabilities to Knowledge Articles.

Salesforce Knowledge (also known as Experience Cloud or Community Cloud), allows the creation of articles. The access to them is usually done on an external site. Users with Company Communities permissions can access this site (but not to the regular Salesforce that other users use).

This integration will allow searching in Salesforce Knowledge articles, and will direct users to the external site by clicking on a search result.

Security Overview

The Enterprise Search uses 3rd-party integrations to implement a “federal search”. Searches within Workstation are backed by an NLP engine, and a graph database that supports a great user experience. 

Workstation Enterprise Search doesn’t index 3rd-party data on an independently searchable database. 

See below sequence diagram describes the searching algorithm:


  1. Cache layer saves results for a period of five minutes
  2. Each Adopter Service creates a unique identifier for the results which is meaningless without access to the 3rd-party and stores it in the graph database

3rd-Party Access and Refresh Tokens

To activate the Enterprise Search (and the Personalized Workspace widgets), each employee is required to grant Workstation permission to access the 3rd-party. 

The granting process is using the OAuth2.0 protocol. 

Each time a new access token is granted to the Workstation, the application will encrypt the access and refresh tokens and store it in a remote database. 

The encryption process includes a unique private key (“salt”) that is generated for each individual at the very first bootstrap and stored in the local machine Keychain.

The salt is irreplaceable and not restorable — losing it causes the access tokens to be voided.

This security measure is being taken to eliminate identity spoofing when accessing high-sensitive data.

See Figure 1.1 to review the salt generation and storage flow.

Accessing 3rd-Party Content

Accessing 3rd-party content requires end-user consent, and in some cases, mostly on Microsoft products, an organization admin consent.

Users grant Workstation the necessary permission by approving an OAuth2.0 consent screen that is being triggered by them from the Workstation application (“Third-party apps”).

The third-party apps are being approved and verified by third-parties products. 

By the end of the granting process, the third-party apps provide access and refresh tokens that are used by the search engine to establish the requests.
See 3rd-Party Access and Refresh Tokens section above for more information about the storing mechanism.

While searching, the search engine forwards the request, before hitting the Adopter Service, through the Token Injector; a service that injects the relevant tokens to accomplish the request.

The local private key is being handed off over the search HTTPS request for runtime decryption.

JWT Protection

When an end-user initiates a search query – the WalkMe enterprise search starts a search flow that is being protected by a JWT assigned by WalkMe IdP integration, as part of the user signing flow:

The JWT is proxying the user identity and keeping any HTTPS request secured and individual. 

All Workstation requests are protected by a JWT validation.

Configure an App in Salesforce for Workstation Integration

  1. Sign in into Salesforce
  2. Click on Setup for current app-

3. Navigate to the App Manager using the search-

4. Check if you have a connected app name called ‘Workstation’ as part of a previous integration to Salesforce. If you do, skip to step 10. If you don’t, create a ‘New Connected App’-

5. Fill in this data in the relevant fields-

    1. Connected App Name- Workstation
    2. API Name- Workstation
    3. Contact Email- your email address
    4. Enable OAuth Settings – mark as checked
    5. Enable for Device Flow – mark as checked
    6. Callback URL- 
    7. Selected OAuth Scopes- Add ‘Full access (full)’ from the Available OAuth Scopes to the Selected OAuth Scopes
    8. Require Secret for Web Server Flow – mark as checked
    9. Require Secret for Refresh Token Flow – mark as checked

6. Press Save

7. Back in the App Manager screen, on the app’s menu click on View8. On this screen, please copy “Consumer Key”  and “Consumer Secret”

9. Also copy your Salesforce Knowledge “domain” (URL)- the URL used to access the Experience site.

10. Go to Setup -> All Sites

11. Copy the URL of the site you would like to direct users to.

12. Go to Console -> Workstation -> Integrations

13. Click on Setup of the Salesforce Knowledge integration

14. Configure the following fields-

    1. OAuth Client ID (Consumer Key)
    2. OAuth Client Secret (Consumer Secret)
    3. Site URL

      Notice that the Site URL should contain only the domain with .com in the end, without the slash characters in the beginning or end of the expression. For example, if the entire URL is The Site URL to be populated in Console is-

    4. Display Name (optional)- if the name of the integration in the Workstation App should be different than “Salesforce Knowledge”
    5. Logo URL (optional)- if the icon of the integration in the Workstation App should be different than the Salesforce icon

15. The integration will appear in the Integrations tab of the app’s Settings

Was this article helpful?

Thanks for your feedback!

Select account type

< Back

Mobile account login

< Back