Configuring Salesforce Self for Picklist Synchronization

Summary

By default, the Akeneo PIM App maps product variant data to your custom fields, but it cannot automatically inject or update dropdown values (options) inside your Salesforce picklists.

To enable automatic picklist option synchronization (so that creating a new option like Purple or XXL in Akeneo instantly creates it within Salesforce Setup), you must configure Salesforce Self. This configuration sets up a secure OAuth 2.0 Client Credentials loopback that allows the connector to securely call Salesforce's own Tooling API and update its host metadata.

Skip this entire guide if you plan to manage your Salesforce picklist values manually. If Salesforce Self is omitted, your product transfers will still execute successfully, but the picklist updates will be skipped with a recoverable log warning.  

 

 

Step 1: Create an External Client App (OAuth Flow)

Your Salesforce organization needs an authorization endpoint to allow the connector's background processes to make metadata changes.

  • Go to Setup > External Client Apps (or click Open External Client Apps on the connector's home page setup card)
  • Click New to create a client configuration
  • Under the OAuth Settings section:
    • Check Enable OAuth
    • Callback URL: Enter your organization's login callback URL (e.g., https://<your-my-domain>.my.salesforce.com/services/oauth2/callback)
    • Selected OAuth Scopes: You must select and add exactly Manage user data via APIs (api)
  • Under the Flow Enablement section:
    • Check the box for Enable Client Credentials Flow
    • Client Credentials Execution User: Click the lookup icon and select your dedicated Integration/Synchronization User. This user must have System Administrator or API permissions capable of modifying global picklist metadata.
  • Click Save
  • Click Consumer Key and Secret at the top of your app profile, complete the identity verification, and copy both the Consumer Key and Consumer Secret to a temporary notepad.

 

Step 2: Configure the External Auth Identity Provider

The current package versions include a pre-built placeholder configuration for Salesforce Self. You must update it with the credentials generated in Step 1.

  • Navigate to Setup > Named Credentials > External Auth Identity Providers
  • Locate and open the packaged record named Salesforce Self
  • Click Edit and populate the fields exactly as follows:
    • Authentication Flow Type: Confirm it is set to Client Credentials
    • Client ID: Paste your copied Consumer Key
    • Client Secret: Paste your copied Consumer Secret
    • Token Endpoint URL: Enter your local My Domain identity token root URL followed by the OAuth path: https://<your-my-domain>.my.salesforce.com/services/oauth2/token
  • Click Save

 

Step 3: Validate the External & Named Credentials

Next, you need to point the global Salesforce Self endpoint to your local domain root and ensure permissions are active.

 

1. Confirm External Credential

Go to the External Credentials tab, open Salesforce Self, and verify that the protocol is set to OAuth 2.0 and correctly references your Identity Provider from Step 2, including the default api scope principal.

 

2. Set Named Credential Destination URL

  1. Click the Named Credentials tab and open Salesforce Self
  2. Click Edit and set the URL field to your absolute base organization URL (e.g., https://<your-my-domain>.my.salesforce.com/). Warning: Do not append /services/data or any API version sub-paths to this URL
  3. Ensure the Enabled for Callouts toggle is turned ON. If it is disabled, switch it on and save
  4. Click Save

 

Step 4: Grant External Principal Access

Because this loopback connection uses an External Credential structure, your execution sync user must have explicit rights to trigger it.

  1. You can automatically apply this by clicking Grant Access directly on the Connector Setup card on your App Homepage.
  2. Alternative Manual Path: Open your custom Akeneo Connector Admin User Permission Set, navigate to External Credential Principal Access, click Edit, and add Salesforce_Self - Default (or Akeneo - Default) to the allowed principal list.

  

Step 5: Test and Verify the Connection

Before testing a live product sync, you can instantly verify if your token authorization works by running a technical mock check inside the Salesforce Developer Console.

  • Open the Developer Console from your Setup gear icon
  • Go to Debug > Open Execute Anonymous Window
  • Paste the following snippet and click Execute
Http http = new Http();
HttpRequest req = new HttpRequest();
// Callout uses the packaged namespace prefix 'akeneoSF__'
req.setEndpoint('callout:akeneoSF__Salesforce_Self/services/data/v60.0/limits');
req.setMethod('GET');
System.debug(http.send(req).getStatusCode());
  • Open the execution log and check the debug filter
    • If the system returns an HTTP status code 200, your Salesforce Self connection is fully operational! Your picklist options will now stay perfectly synchronized with Akeneo PIM values

 

Validation Strategy

To perform a final, end-to-end functional validation of your picklist synchronization:

  1. Log into your Akeneo PIM instance
  2. Navigate to your attributes and locate a variation axis that you already mapped to Salesforce (for example, your color attribute)
  3. Add a brand-new option value that does not yet exist in Salesforce (e.g., Neon Pink)
  4. Assign this new variant value to a test product and trigger a data transfer
  5. Once the transfer completes, switch to Salesforce Setup > Object Manager > ProductAttribute > Fields & Relationships
  6. Open your mapped custom picklist field (e.g., Color__c)
  7. Scroll down to the Values section: verify that Neon Pink has been dynamically created, injected, and activated by the app

Want to find out more? Take a look at these related articles