Skip to Content
How-To GuidesConnect a SaaS Platform

Connect a SaaS Platform

This guide walks you through connecting SaaS and collaboration platforms to Slim.io for PII scanning. Slim.io supports Slack, Microsoft Teams, OneDrive, SharePoint, Google Drive, and Salesforce.

Time required: 10–20 minutes (varies by platform)

Prerequisites:

  • Admin access to your SaaS platform (for app registration or bot creation)
  • Slim.io Customer Dashboard access

Supported Platforms

PlatformAuth MethodWhat Gets Scanned
SlackBot TokenChannel messages (public and private)
Microsoft TeamsClient Credentials (Service Principal)Channel messages, attachments, meeting chat
OneDriveClient Credentials (Service Principal)Documents, shared files
SharePointClient Credentials (Service Principal)Document libraries, site contents
Google DriveDomain-Wide DelegationDocs, Sheets, Slides, shared drives
SalesforceUsername + Password + Security TokenObject fields, custom objects, attachments

Slack

Step 1: Create a Slack App

  1. Go to api.slack.com/apps  and click Create New App.
  2. Choose From scratch, name it (e.g., “Slim.io Scanner”), and select your workspace.
  3. Navigate to OAuth & Permissions in the sidebar.
  4. Under Bot Token Scopes, add:
    • channels:history — Read public channel messages
    • channels:read — List public channels
    • groups:history — Read private channel messages
    • groups:read — List private channels
    • users:read — Resolve user display names
    • users:read.email — Resolve user email addresses
  5. Click Install to Workspace and authorize.
  6. Copy the Bot User OAuth Token (starts with xoxb-).

Slim.io scans channel messages only. Direct messages (DMs) are never accessed. The bot must be invited to private channels to scan them.

Step 2: Configure in Slim.io

  1. In the Slim.io dashboard, navigate to Connectors and click Add Connector.
  2. Select Slack.
  3. Enter a Connector Name (e.g., “Corporate Slack”).
  4. Paste the Bot Token (xoxb-...).
  5. Click Connect.

Step 3: Verify

The connector status transitions to Active once Slim.io confirms the bot token is valid and can list channels. You can now trigger a scan.

Microsoft Teams / OneDrive / SharePoint

All three Microsoft connectors use the same authentication method: an Azure AD App Registration with application permissions.

Step 1: Create an App Registration

  1. Go to Azure Portal > App registrations .
  2. Click New registration.
  3. Name it (e.g., “Slim.io Scanner”) and select Accounts in this organizational directory only.
  4. Click Register.
  5. Copy the Application (client) ID and Directory (tenant) ID.

Step 2: Create a Client Secret

  1. In the app registration, go to Certificates & secrets.
  2. Click New client secret, add a description, and set expiration.
  3. Copy the Value immediately — it will not be shown again.

The client secret is only visible at creation time. If you lose it, you must create a new one.

Step 3: Grant API Permissions

Navigate to API permissions > Add a permission > Microsoft Graph > Application permissions and add the permissions for your connector:

For Teams:

  • ChannelMessage.Read.All — Read channel messages
  • Team.ReadBasic.All — List teams
  • Channel.ReadBasic.All — List channels

For OneDrive:

  • Files.Read.All — Read all files
  • User.Read.All — Enumerate user drives

For SharePoint:

  • Sites.Read.All — Read all site contents
  • Files.Read.All — Read document libraries

After adding permissions, click Grant admin consent for [your organization].

Step 4: Configure in Slim.io

  1. In the Slim.io dashboard, navigate to Connectors and click Add Connector.
  2. Select Teams, OneDrive, or SharePoint.
  3. Enter:
    • Connector Name — A friendly label (e.g., “Corporate Teams”)
    • Tenant ID — The Azure AD Directory ID
    • Client ID — The Application ID
    • Client Secret — The secret you created
  4. Click Connect.

Step 5: Verify

The connector authenticates using the client credentials flow and enumerates available resources (teams/channels, drives, or sites). Status transitions to Active on success.

Google Drive

Step 1: Create a Service Account

  1. Go to Google Cloud Console > IAM & Admin > Service Accounts .
  2. Click Create Service Account.
  3. Name it (e.g., slimio-scanner) and click Create and Continue.
  4. Skip the optional role grants and click Done.
  5. Click the new service account, go to Keys > Add Key > Create new key > JSON.
  6. Download the JSON key file.

Step 2: Enable Domain-Wide Delegation

  1. In the service account details, click Show domain-wide delegation and enable it.
  2. Copy the Client ID (numeric).
  3. Go to Google Workspace Admin > Security > API Controls > Domain-wide Delegation .
  4. Click Add new and enter:
    • Client ID: The service account’s numeric Client ID
    • OAuth Scopes: 
      https://www.googleapis.com/auth/drive.readonly
  5. Click Authorize.

Domain-wide delegation allows the service account to impersonate users and access their Drive files. Slim.io uses the drive.readonly scope — it can read files but never modify, delete, or share them.

Step 3: Configure in Slim.io

Google Drive connectors use OAuth2 — the wizard initiates an authorization flow:

  1. In the Slim.io dashboard, navigate to Connectors and click Add Connector.
  2. Select Google Drive.
  3. Enter a Connector Name (e.g., “Corporate Google Drive”).
  4. Click Connect with Google to begin the OAuth flow.
  5. Authorize Slim.io to access Drive (read-only).

Step 4: Verify

After authorization completes, the connector enumerates shared drives and files. Status transitions to Active on success.

Salesforce

Step 1: Create a Connected App

  1. Log in to Salesforce and navigate to Setup > App Manager.
  2. Click New Connected App.
  3. Fill in:
    • Connected App Name: Slim.io Scanner
    • API Name: Slim_io_Scanner
    • Contact Email: Your admin email
  4. Check Enable OAuth Settings.
  5. Set Callback URL to https://api.slim.io/api/v1/connectors/auth/callback/salesforce.
  6. Add Selected OAuth Scopes:
    • Access and manage your data (api)
    • Perform requests on your behalf at any time (refresh_token, offline_access)
  7. Click Save and wait 2–10 minutes for activation.

Step 2: Get Your Security Token

If you do not already have a Salesforce security token:

  1. Click your profile icon > Settings.
  2. Go to My Personal Information > Reset My Security Token.
  3. A new token is emailed to you.

The security token is appended to your password when authenticating via the API. If your org uses IP allowlisting, you may not need it.

Step 3: Configure in Slim.io

  1. In the Slim.io dashboard, navigate to Connectors and click Add Connector.
  2. Select Salesforce.
  3. Enter:
    • Connector Name — A friendly label (e.g., “Salesforce Production”)
    • Instance URL — Your Salesforce instance (e.g., https://yourorg.my.salesforce.com)
    • Username — Your Salesforce username
    • Password — Your password
    • Security Token — The token from Step 2
  4. Click Connect.

Step 4: Verify

The connector authenticates and enumerates Salesforce objects. Status transitions to Active on success. Slim.io scans standard and custom object fields for PII.

Incremental Scanning

After the initial full scan, Slim.io automatically uses incremental scanning for SaaS connectors:

  • Slack: Uses the oldest timestamp parameter to fetch only new messages since the last scan
  • Teams: Filters by lastModifiedDateTime to scan only updated messages
  • OneDrive / SharePoint: Uses Microsoft Graph’s /delta endpoint for change tracking
  • Google Drive: Uses the changes.list API with a stored startPageToken
  • Salesforce: Filters by LastModifiedDate to scan only updated records

This reduces scan time from hours to minutes on subsequent runs.

Rate Limiting

Slim.io automatically handles API rate limits for all SaaS platforms:

  • Respects Retry-After headers from provider APIs
  • Uses exponential backoff with jitter on 429 responses
  • Per-connector token bucket rate limiting prevents API bans
  • Scan progress continues automatically after rate limit windows expire

You do not need to configure rate limiting — it is handled automatically.

Troubleshooting

IssueSolution
”Invalid token” (Slack)Verify the bot token starts with xoxb- and the app is installed to your workspace
”Insufficient permissions” (Slack)Ensure all required scopes are added under Bot Token Scopes, not User Token Scopes
”Unauthorized” (Teams/OneDrive/SharePoint)Verify Tenant ID, Client ID, and Client Secret. Ensure admin consent was granted for API permissions.
”Token expired” (Microsoft)Create a new client secret in Azure AD — secrets expire per your configured policy
”Domain-wide delegation not configured” (Google Drive)Verify the service account Client ID and OAuth scope are added in Google Workspace Admin
”Authentication failed” (Salesforce)Append your security token to your password. Verify your instance URL is correct.
”No channels found” (Slack)The bot must be invited to private channels. Public channels are listed automatically.
”Slow scan”SaaS scans are rate-limited by provider APIs. This is expected behavior. Check the scan progress indicator for estimated time.

Next Steps

Last updated on
Connect a DatabaseScanner Releases