Enabling the Envestnet Integration

Follow

Introduction

Our integration with the Envestnet ENV 2 platform enables Advisors to create Clients and their Member details in Envestnet from Practifi records.  Updates from Practifi can be sent by a click to Envestnet, to maintain data currency between the two systems.  Advisors can then initiate Envestnet Proposal actions from Practifi, and complete details in Envestnet.  From within Practifi the Advisor can view the list of Envestnet Proposals and click to link directly into Envestnet to view and update the Proposal. 

Updates to Client and Member details in Envestnet are not sent from Envestnet to Practifi - Practifi is intended to be the source of truth for Client and Member information.

Before You Begin

You will need to know before you start:

  1. Create a JKS certificate and send the Public portion to Envestnet for signing and return
  2. The JKS certificate location, file name, and password to the Keystore, for API data authentication
  3. Thumbprint of the JKS certificate
  4. Envestnet Test and Production system URLs
  5. ACS URLs of the Envestnet Test and Production systems
  6. The Client Code issued by Envestnet for the Advisor firm
  7. Client Key, and Secret, issued by Envestnet for the Advisor firm

Data Field Mapping

The data mapped from Practifi to Envestnet relates to the two principal Practifi concepts:

  1. Practifi Households
  2. Practifi Contacts/Members

No other data elements are mapped back to Envestnet from Practifi

Envestnet sends a single line summary of each Proposal held in Envestnet for the Practifi Client, under the Financial Advice section of the Client record in Practifi.

Practifi Household Envestnet Client
Account.Name familyName

 

Practifi Household Member Envestnet Family Member
Account.FirstName firstName
Account.Middle_Name__pc middleName
Account.LastName lastName
Account.PersonBirthdate birthDate
Account.Marital_Status__pc maritalStatus

Relationship__c.Relationship_Type__r.Name

  • Primary Contact
  • Partner / Household
  • Dependent / Household
  • <anything else>
memberType
  • Primary - 1
  • Spouse - 20
  • Child - 10
  • Other - 100
Account.Envestnet_Handle__c memberHandle
Account.PersonMailingStreet addressLine1
  addressLine2
Account.PersonMailingCity city
Account.PersonMailingState state
Account.PersonMailingPostalCode zipCode
Account.PersonMailingCountry country
1 addressType
Account.PersonHomePhone homePhone
Account.Phone businessPhone
Account.Fax fax
Account.PersonEmail email

 

Installation Steps

The following steps are required to enable the Envestnet Integration 

  1. Set up My Domain
  2. Enable Identity Provider
  3. Add Envestnet Certificate
  4. Remote Site Settings
  5. Enable Connect App
  6. Add Envestnet User to user table
  7. Create Auth Provider
  8. Create Named Credential
  9. Apply Permission Sets
  10. Configure Envestnet Integration Settings
  11. Add Proposal Type to list
  12. Add Link, Panel, and Tab to the UI
  13. Steps for Authentication by each User

1. Set up My Domain

My Domain is required for SSO authentication.  In most scenarios this should have been already configured. In this case do not modify the domain, and skip this step.

Locate the My Domain configuration panel in Salesforce.  Follow the wizard steps.

mceclip0.png

When a domain name has been chosen, click Register the Domain. Once registration is complete, an email will be received indicating that the domain is ready for testing.

Note the complete URL of your domain, as this will be needed when configuring other Practifi integrations.

mceclip1.png

2. Enable Identity Provider

The Identity Provider service is required to support Single SignOn (SSO) authentication.  A Self-Signed certificate will be required here.

Skip this step if it is already enabled.

IMPORTANT NOTE: If the customer system already has SSO implemented for any other integrations be sure to use that same certificate.  That is, the Identity Provider is common.  Only one Identity Provider is available per system.

Locate the Identity Provider configuration panel in Salesforce, and click Enable Identity Provider

 

mceclip2.png

 

mceclip0.png

 

mceclip3.png

If Create a new certificate...

mceclip2.png

A successfully enabled Identity Provider will show a panel like this.

mceclip4.png

 

3. Add Envestnet Certificate

Practifi will prepare a certificate and send the Public portion of the key to Envestnet.  This is the certificate used for the encryption of the data between Practifi and Envestnet.

Salesforce details the steps to request and set up the certificates as a general system set up task.  It is available here.

Once the certificate has been created, and signed by Envestnet it will be returned as a .JKS file, and typically stored on a shared folder  This certificate should be imported into the Salesforce org.  The thumbprint of the public portion of the certificate should be noted for use later.

Locate the Certificate and Key Management configuration panel in Salesforce, and click Import from Keystore

 

mceclip5.png

mceclip6.png

A list of folders on the local or shared folder drive will appear from where the certificate, signed earlier by Envestnet, will have been downloaded and stored earlier.  Choose the file.  The file may have been password protected depending on how it was prepared.  If so, supply the Keystore Password, and Save.

 

mceclip8.png

On successfully importing the certificate it will appear under Certificate and Key Management.

 

mceclip9.png

At this point also make a note of the certificate thumbprint.  

3a. Get Certificate Thumbprint

Download the certificate from Salesforce.  This will download just the public portion of the certificate key as a .crt file

mceclip5.png

From its downloaded location (it should have a file extension of .crt) double click to Open, and note the Thumbprint value.  Copy it to a place where it can be pasted for use later.

mceclip6.png

mceclip7.png

 

4. Remote Site Settings

Set up a Remote Site pointing to the Envestnet system.  Note that you may have been given the URL for a Test, and a Production system.  A Remote Site configuration will be needed for each.

Locate the Remote Site Settings configuration panel in Salesforce, and click New Remote Site

mceclip8.png

Click New Remote Sitemceclip11.png

Supply the following:

  • Remote Site Name
    • Test: Envestnet_UAT
    • Production: Envestnet
  • Remote Site URL:
  • Active: ticked

Click Save

 

mceclip12.png

mceclip13.png

5. Enable Connected App

This is required for SSO authentication between the systems.

Connected App

Locate the App Manager configuration panel in Salesforce, and click New Connected App

mceclip14.png

mceclip15.png

Supply the following:

  • Connected App Name: a meaningful name (eg. Envestnet SSO)
  • API Name: auto generated from name (eg. Envestnet_SSO)
  • Contact Email: a System admin email
  • Enable SAML (on the Web App Settings section): Ticked 
  • Entity Id: The thumbprint of public certificate, noted at step 3a, above
    • eg. 057dadd685......c733ee882ea728
  • ACS URL:
  • Subject Type: Custom Attribute (from dropdown)
  • Custom Attribute: Envestnet_Username (from dropdown)
  • Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • Issuer: The thumbprint of public certificate, noted at step 3a, above
    • eg. 057dadd685......c733ee882ea728
  • IdP Certificate: Name of the Envestnet certificate which was imported at step 3, above
    • eg. envestnet_dev
  • Signing Algorithm for SAML Messages: SHA1
  • Fields to the end of form are empty

mceclip2.png

Click Save.

Permissions

Permissions need to be assigned to this App.  From the Saved screen click Manage

mceclip0.png

 

mceclip9.png

The Advisor firm's policies will determine how they wish to allocate permissions to this App.  For example, allocating SSO access permissions by Profile would look like this:

mceclip3.png

 

Custom Attribute

Finally, add a new Custom Attribute.  Supply the following:

  • Attribute key: target
  • Attribute value: 'proposal_view:' + $User.practifi__Envestnet_Proposal_Handle__c

mceclip19.png

mceclip18.png

 

5a. IdP-Initiated Login URL

Locate and note the In “SAML Login Information” section and from IdP-Initiated Login URL value;
Copy the path value, from the /idp onwards.  This is needed for the Custom Setting section.

mceclip21.png

 

6. Add Envestnet Username to each Practifi Username

The Envestnet Username (that is, the Envestnet login for the user) for each Envestnet user must be added to its corresponding Practifi Username in Salesforce.  This is done at the moment using the Salesforce Developer Console.

mceclip5.png

Create a query which retrieves at least the list of users by name, and the practifi__Envestnet_Username__c column.  The entry of the names into this field can be done manually from the results list, or by a Dataloader file upload in the case of large numbers.

 

mceclip4.png

7. Create Auth Provider

A single Auth Provider will be needed to connect Envestnet and Practifi systems to enable data exchange.  Be aware the separate configurations will be needed for any Test and Production systems. Each will need to point to different URLs.

Locate the Auth. Providers configuration panel in Salesforce, and click New


mceclip22.png

 

mceclip23.png

Select EnvestnetAuthProvider as the Provider Type

mceclip1.png

 

 

mceclip6.png

Supply the following, then click Save:

  • Provider Type: EnvestnetAuthProvider
  • Name: A meaningful name (eg. EnvestnetIntegrationsUSDemo2).  
  • URL Suffix: Auto create from Name (eg. EnvestnetIntegrationsUSDemo2)
  • Certificate: Envestnet certificate which was imported at step 3 Add Envestnet Certificate 
    • eg. envestnet_dev
  • Client Code
    • Test: practifi
    • Production: Provided by Envestnet
  • Issuer: The thumbprint of public certificate noted at step 3a, above
    • eg. 057dadd685......c733ee882ea728
  • Key:
    • Production: Provided by Envestnet
  • Secret
    • Production: Provided by Envestnet
  • Token Endpoint:
  • Execute As: The User/Advisor who has the Manage Users permission in the Salesforce profile  

 

8. Create Named Credential

A single Auth Provider will be needed to connect Envestnet and Practifi systems to enable data exchange.  Be aware the separate configurations will be needed for any Test and Production systems. Each will need to point to different URLs.

Locate the Named Credentials configuration panel in Salesforce, and click New Named Credential

mceclip26.png

mceclip27.png

 

mceclip28.png

Supply the following, then click Save

  • Label: A meaningful name (eg. EnvestnetIntegrationsUSDemo2)
  • Name: Auto create from label (eg. EnvestnetIntegrationsUSDemo2)  
  • URL:
  • Certificate: leave empty
  • Identity Type: Per User (note this setting)
  • Authentication Protocol: OAuth 2.0
  • Authentication Provider: the name of the Auth. Provider created above in step 6 (eg. EnvestnetIntegrationsUSDemo2)
  • Scope: leave empty
  • Start Authentication Flow on Save: leave unchecked   

The Admin setting up this Envestnet configuration will not be able to authenticate all the firm's users to start using the Envestnet integration.  Each Advisor must authenticate themselves between the systems.  This is covered in Step 13 below.

 

9. Apply Permission Set

Each Advisor who will be using the Envestnet Integration will need to have access to the Named Credential set up above.  This step will require the cloning of the initially supplied Practifi - Envestnet permission step, so that it can be edited to include the Named Credential above - the initial permission set cannot be edited.  Only a clone can.

Locate the Permission Sets  configuration panel in Salesforce, locate the line for Practifi - Integration - Envestnet, and click the Clone link

mceclip2.png

Locate and click on the Practifi - Integration - Envestnet User row

mceclip1.png

Supply a name for the cloned copy of the permission set (eg Practifi - Integration - Envestnet User).  From the updated list click the cloned-copy name.

 

mceclip5.png

Click on the Named Credential Access link

mceclip4.png

Click New to add a Name Credential to the list, or Edit to verify the list

mceclip6.png

Ensure the Named Credential set up at Step 8 above appears on the right side of the table (Enabled Named Credentials)

mceclip7.png

Click Save to complete the update

 

10. Configure Envestnet Integration Settings

Note: One general Custom Setting is required for Envestnet configurations. One separate setting per Advisor under this custom setting.

Locate the Custom Settings configuration panel in Salesforce, locate the Envestnet Integration Settings record, and click New

 

mceclip29.png

mceclip31.png

In the event that no Envestnet Integration Setting values have been applied yet, click the top-most New button to begin

mceclip0.png

 

Supply the following: 

mceclip1.png

11. Add Envestnet Proposal Type to Types list

This step will list the type Envestnet Proposal on the first panel which appears after the user clicks on the New Proposal button for the client.  Under Practifi Apps icon (nine-dots), search for and select Settings

mceclip0.png

 

Select the Categories dropdown

mceclip1.png

 

Ensure that All Service Types are selected

mceclip2.png

Search and locate the Envestnet Proposal Category Name

mceclip3.png

Under the Details subtab (click Edit at the top right), supply the following:

  • Category Name: Envestnet Proposal
  • Code: STINTENVPROP (or similar, to indicate a code for the Envestnet Proposal type)
  • Related To: Service Type
  • Group Code: STINVPROPOSAL (mandatory)
  • Active: Ticked

mceclip5.png

Click Save on completion

12. Add Link, Tab, and Panel to the UI

This step requires assistance from the Practifi Customer Support team, to install some screen updates to show the Envestnet Integration information to the user.  The steps are essentially:

  1. A new table to list the Practifi Clients which have been transmitted to Envestnet, and for which new clients have been created in Envestnet.
  2. Adding a new link option on the Client record for a Send to Envestnet function
  3. A new section on the Client record to show Financial Advice, and an Envestnet Proposals subtab
  4. A panel to enable the user to link out from an Envestnet Proposal listing directly into Envestnet

13. Advisor authentication

The final step is for each Advisor to authenticate their Practifi user login with their Envestnet user login.  This must be done by each user as a once-off step.  The steps are as follows:

 

From the top-right picture-icon, click the Settings link

mceclip8.png

From the list which follows on the left side click the Authentication Settings for External Systems link

mceclip9.png

Click New to start connecting the Practifi user with the Envestnet user

mceclip10.png

 

mceclip19.png

Supply the following (if not already completed):

  • External System Definition: Named Credential
  • Named Credential: From dropdown list, the name of the Named Credential created as Step 8 
  • User: The username of the logged on user.  Use the search tool icon to locate and select the user.
  • Authentication Protocol: OAuth 2.0
  • Start Authentication Flow on Save: Ticked

Upon clicking Save the system will take the user to an Envestnet log on panel, to which the user should proceed to log in and confirm their link to Envestnet through Practifi.  Upon completion the user is returned to the list of External Systems for which they have been authenticated to access.

 

mceclip17.png

Clicking on Edit will verify that the Administration Authentication Status now reads as Authenticated.

mceclip18.png

The user may Cancel from this view and commence using the Envestnet Integration.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.