OAuth 2.0 Authentication for Veeva CRM
- iPad | iPhone | Online
Veeva CRM supports OAuth 2.0 integration for authentication, allowing users to use their company credentials to sign into Veeva CRM. Users do not have to remember Veeva-specific credentials. Users can also save OAuth credentials using iOS Keychain. See Saving Passwords to iOS Keychain for more information.
Admins can configure OAuth 2.0 for all users or for specific user profiles.
For example, Verteo BioPharma assigns Sarah Jones a set of credentials for their identity provider. She uses these credentials for all her OAuth-enabled apps. Sarah enables OAuth on her device for the Veeva CRM app and launches it. The sign in screen displays and she signs in with the credentials for the identity provider.
- For users who are capturing consent, the lock icon on consent capture screens does not display
- Integration users for the Approved Email, CLM, Engage, MCCP, etc. scheduled processes should not have OAuth enabled
- Devices must have internet connection
Configuring OAuth 2.0
To use OAuth 2.0 with Veeva CRM, admins must configure the following:
- Enabling OAuth 2.0 Authentication for Veeva CRM Online
- Deploying Veeva CRM on iOS with OAuth 2.0 Support (MDM/MAM)
Authenticating with Access Tokens
In the case of OAuth, the CRM app does not have access to the user's credentials. Users enter credential information in a webview window. After authentication, Veeva CRM gets an access token (access tokens are the same as Salesforce session IDs) and a refresh token. Each of these tokens have a validity period. Typically, the access tokens are short lived: a few minutes to a few hours. The refresh tokens are valid for longer durations: a few days to a few months. For all access to Salesforce, the access token is used. Once the access token is not valid anymore, the CRM app sends the refresh token to the identity provider server (IDP). When this happens, if the refresh token is valid, a new access token is provided by the IDP. If not, the user is forced to re-authenticate using user credentials.