Enabling the Envestnet Integration

Overview

Our integration with the Envestnet ENV 2 platform enables Advisors to create Clients and their Member details in Envestnet directly from Practifi records, eliminating duplicate data entry across systems. Updates can be sent from Practifi to Envestnet with a single click, keeping data current across both systems. Advisors can then initiate Envestnet Proposal actions from Practifi and complete details in Envestnet. From within Practifi, Advisors can view the list of Envestnet Proposals and link directly to Envestnet to view and update them, keeping proposal management within a single workflow. 

Updates to Client and Member details in Envestnet are not sent back to Practifi. Practifi is the intended source of truth for Client and Member information.

• Before You Begin
• Workflow Setup for Proposal Management
• Installation
  • Set Up My Domain
  • Enable Identity Provider
  • Add Envestnet Certificate
  • Remote Site Settings
  • Enable Connected App
  • Add Envestnet Username to Each Practifi Username
  • Create Auth Provider
  • Create Named Credential
  • Apply Permission Sets
  • Configure Envestnet Integration Settings
  • Add Proposal Type to List
  • Add Link, Tab, and Panel to the UI
  • User Authentication
• Data Field Mapping

Before You Begin

Before beginning the installation process for the Evestnet integration, the following should be acquired:

1. Create a JKS certificate and send the Public portion to Envestnet for signing and return
2. The JKS certificate location, file name, and password to the Keystore for API data authentication
3. The thumbprint of the JKS certificate
4. Envestnet Test and Production system URLs
5. ACS URLs of the Envestnet Test and Production systems
6. The Client Code issued by Envestnet for the Advisor firm
7. Client Key and Secret issued by Envestnet for the Advisor firm

Workflow Setup for Proposal Management

For users to initiate proposals in Practifi and send them to Envestnet for completion, the Investment Proposal Creation - Envestnet Process Type and its related Active Form must be deployed and enabled in your organization. With this workflow in place, Advisors can launch proposals from the same record where they manage client information, removing the need to switch systems mid-task. If this functionality is not available in your organization, please contact Practifi Support.

Installation

The following steps are required to enable the Envestnet Integration. 

Set Up My Domain

My Domain is required for SSO authentication. In most scenarios, this should have already been configured. In this case, do not modify the domain; skip this step.

1. Locate My Domain using the Salesforce Setup Quick Find search bar and follow the wizard steps.
   
   
    
2. When a domain name has been chosen, click Register the Domain. Once registration is complete, an email will be received indicating that the domain is ready for testing. Note the complete URL of your domain, as this will be needed when configuring other Practifi integrations.
   
   

Enable Identity Provider

The Identity Provider service is required to support Single Sign-On (SSO) authentication and requires a Self-Signed certificate. Skip this step if your organization has already enabled the Identity Provider.

1. Locate the Identity Provider using the Quick Find search bar in Salesforce Setup.
   
   
    
2. Click the Enable Identity Provider button.
   
   
    
3. Choose the existing Identity Provider certificate or click Create a new certificate... to generate a new Identity Provider certificate.
   
   
    
4. If creating a new certificate, choose a name for the Self-Signed certificate that will be used by all integrations with SSO in your organization. 
   
   
    
5. A successfully enabled Identity Provider will show a panel like this:
   
   

Add Envestnet Certificate 

Practifi will prepare a certificate and send the Public portion of the key to Envestnet. This is the certificate used to encrypt data between Practifi and Envestnet. Salesforce details the steps to request and set up the certificates as a general system setup task. 

Once the certificate has been created and signed by Envestnet, it will be returned as a .JKS file and typically stored in a shared folder. This certificate should be imported into the Salesforce org. The thumbprint of the public portion of the certificate should be recorded for later use.

1. Locate the Certificate and Key Management using the Quick Find search bar in Salesforce Setup.
   
   
    
2. Click the Import from Keystore button.
   
   
    
3. A list of folders on the local or shared drive will appear. Locate the certificate signed by Envestnet that you downloaded earlier, then select the file. If the file is password-protected, enter the Keystore Password and click Save.
   
   
    
4. After successfully importing the certificate, it will appear under Certificate and Key Management. At this point, also note the certificate thumbprint. 
   
   
    
5. To make note of the certificate thumbprint, download the certificate from Salesforce. This will download just the public portion of the certificate key as a .crt file.
   
   
    
6. From its downloaded location (it should have a file extension of .crt), double-click to open it, and note the Thumbprint value. Copy it to a location where it can be pasted later.
   
   

Remote Site Settings

Set up a Remote Site in Salesforce that points to the Envestnet system.

1. Locate Remote Site Settings through the Quick Find search bar in Salesforce Setup.
   
   
    
2. Click the New Remote Site button.
   
   
    
3. Supply the following:
   • Remote Site Name:
     • Test: Envestnet_UAT
     • Production: Envestnet
   • Remote Site URL:
     • Test: https://uat.envestnet.io
     • Production: https://envestnet.io
   • Active: ticked
4. Once the information is entered, click Save.  
   
   
   

Enable Connected App

This step is required for SSO authentication between the two systems.

1. Locate App Manager by using the Quick Find search bar in Salesforce Setup.
   
   
    
2. Click the New Connected App button.
   
   
    
3. Supply the following:
   • Connected App Name - Provide a meaningful name, for example, Envestnet SSO.
   • API Name - This value will auto-generate from the Connected App Name field.
   • Contact Email - This should be an email for a System Administrator in your organization.
   • Enable SAML (in the Web App Settings section) - Check this box.
   • Entity Id - The thumbprint of the public certificate, e.g., 057dadd685......c733ee882ea728
   • ACS URL - 
     • Test: https://uat.envestnet.com/secure/sso/saml_confirm.jsp?firm=practifi
     • Production: https://portal.envestnet.com/secure/sso/saml_confirm.jsp?firm=practifi
   • Subject Type - Select Custom Attribute from the drop-down menu.
   • Custom Attribute - Select Envestnet_Username from the drop-down menu.
   • Name ID Format - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
   • Issuer - The thumbprint of the public certificate, e.g., 057dadd685......c733ee882ea728
   • IdP Certificate - The name of the Envestnet certificate, e.g., envestnet_dev.
   • Signing Algorithm for SAML Messages - SHA1
   • Fields to the end of the form are left blank.
     
     
      
4. Once this information is entered, click Save.
5. Permissions need to be assigned to this App. From the saved Connected App screen, click the Manage button.
   
   
6. Under the Profiles section, click Manage Profiles to assign permission to this SSO App by user profiles, or click Manage Permission Sets to assign by previously defined permission sets.
   
   
    
7. The Advisor firm's policies will determine how they wish to allocate permissions to this App. For example, allocating SSO access permissions by Profile would look like this:
   
   
    
8. On the Manage Connected Apps screen, navigate to the Custom Attributes section and click New.
   
   
    
9. Supply the following:
   • Attribute key - Target
   • Attribute value - 'proposal_view:' + $User.practifi__Envestnet_Proposal_Handle__c
     
     
      
10. Locate the SAML Login Information section, and note the value in the IdP-Initiated Login URL field. Copy the path value from the /idp onwards. This is needed for the Custom Setting section.
    
    
     

Add Envestnet Username to Each Practifi Username

The Envestnet Username (the user's Envestnet login) for each Envestnet user must be added to its corresponding Practifi Username in Salesforce. This is done using the Salesforce Developer Console.
 

Create a query that retrieves at least the list of users by name and the practifi__Envestnet_Username__c column. For larger numbers of users, names can be entered manually from the results list or uploaded via a Dataloader file.

Create Auth Provider

A single Auth Provider will be needed to connect Envestnet and Practifi systems to enable data exchange. Separate configurations will be needed for any Test and Production systems, as each must point to different URLs.

1. Locate Auth. Providers in Salesforce Setup can be found by using the Quick Find search bar.
   
   
    
2. On the Auth. Providers page, click New.
   
   
    
3. Select EnvestnetAuthProvider as the Provider Type.
   
   
    
4. Supply the following:
   • Provider Type - EnvestnetAuthProvider
   • Name - A meaningful name (e.g., EnvestnetIntegrationsUSDemo2). 
   • URL Suffix - This information will auto-populate from the information input in the Name field. (eg. EnvestnetIntegrationsUSDemo2)
   • Certificate - Envestnet certificate, which was imported at the Add Envestnet certificate step. (eg. envestnet_dev)
   • Client Code - 
     • Test - practifi
     • Production - Provided by Envestnet
   • Issuer - The thumbprint of the public certificate, e.g., 057dadd685......c733ee882ea728
   • Key -
     • Production - Provided by Envestnet
   • Secret - 
     • Production - Provided by Envestnet
   • Token Endpoint - 
     • Test - https://uat.envestnet.io/openenv/api/oauth2/token
     • Production - https://envestnet.io/openenv/api/oauth2/token
   • Execute As - The User/Advisor with Manage Users permission in the Salesforce profile. 
     
     
      
5. Once this information has been entered, click Save.

Create Named Credential

A single Auth Provider will be needed to connect Envestnet and Practifi systems to enable data exchange. Separate configurations will be needed for any Test and Production systems, as each must point to different URLs.

1. Locate Named Credentials in Salesforce Setup by using the Quick Find search bar.
   
   
    
2. Click New Named Credential.
   
   
    
3. Supply the following:
   • Label - A meaningful name (e.g., EnvestnetIntegrationsUSDemo2)
   • Name - This information will auto-populate based on the value entered in the Label field (e.g., EnvestnetIntegrationsUSDemo2). 
   • URL - 
     • Test: https://uat.envestnet.io/openenv/api
     • Production: https://envestnet.io/openenv/api
   • Certificate - Leave this field empty
   • Identity Type - Per User (note this setting)
   • Authentication Protocol - OAuth 2.0
   • Authentication Provider - the name of the Auth. Provider (e.g., EnvestnetIntegrationsUSDemo2)
   • Scope - Leave this field empty
   • Start Authentication Flow on Save - Leave this box unchecked
     
      
4. Once this information is input, click Save.

Apply Permission Sets

Each Advisor who will use the Envestnet Integration will need access to the Named Credential set up above.  This step requires cloning the initially supplied Practifi - Envestnet permission set so that it can be edited to include the Named Credential. The initial permission set cannot be edited; only a clone of it can.

1. Locate Permission Sets in Salesforce Setup using the Quick Find search bar.
   
   
    
2. Click the Clone button next to the Practifi - Integration - Envestnet permission set.
   
   
    
3. Locate and click the Practifi - Integration - Envestnet User row. 
   
   
    
4. Supply a name for the cloned copy of the permission set (e.g., Practifi - Integration - Envestnet User). From the updated list, click the cloned copy name.
5. Click on the Named Credential Access link.
   
   
    
6. Click New to add a Named Credential or Edit to verify the list.
   
   
    
7. Ensure the Named Credential appears on the right side of the table under Enabled Named Credentials.
   
   
    
8. Click Save to complete the update.

Configure Envestnet Integration Settings

1. Locate Custom Settings in Salesforce Setup by using the Quick Find search bar.
   
   
    
2. Locate the Envestnet Integration Settings record and click Manage.
   
   
    
3. If no Envestnet Integration Setting values have been applied yet, click the top-most New button to create them.
   
   
    
4. Supply the following: 
   • Enabled -Ticked
   • Named Credential - Created at the Named Credentials step. eg EnvestnetIntegrationsUSDemo2. 
   • Verbose Logging - Leave this unchecked. It is only used for testing
   • SSO URL - Copied from the Enable Connected App step, e.g., /idp/login?app=0sp2w000000CafE    Include the leading "/"
     

Add Proposal Type to List

This step adds the Envestnet Proposal type to the first panel that appears after the user clicks the New Proposal button for the client. 

1. In the App Launcher, use the search bar to locate and click the Settings app.
   
   
    
2. Use the Navigation Menu to select Categories from the drop-down menu.
   
   
    
3. Ensure that the All Service Types view is selected for the Categories list view.
   
   
    
4. Search and locate the Envestnet Proposal Category Name.
   
   
    
5. Click Edit at the top right and supply the following under the Details subtab:
   • Category Name - Envestnet Proposal
   • Code - STINTENVPROP (or similar, to indicate a code for the Envestnet Proposal type)
   • Related To - Service Type
   • Group Code - STINVPROPOSAL (This value is required)
   • Active - Checked
     
     
      
6. Once this is entered, click Save.

Add Link, Tab, and Panel to the UI

Please have the Practifi Customer Support team install screen updates to show the Envestnet Integration information to the user. Please let the Support team know when you are ready for this step to be completed.

The steps are essentially the following:

1. A new table to list the Practifi Clients that have been transmitted to Envestnet, and for which new clients have been created in Envestnet.
2. Adding a new link option on the Client record for a Send to Envestnet function
3. A new section on the Client record to show Financial Advice and an Envestnet Proposals subtab
4. A panel to enable the user to link out from an Envestnet Proposal listing directly into Envestnet

User Authentication

The final step for enablement is for each Advisor to authenticate their Practifi user login with their Envestnet user login. 

The steps are as follows:

1. Click your user icon in the upper right-hand corner and click Settings.
   
   
    
2. Within Settings, click the Authentication Settings for External Systems link under the My Personal Information section.
   
   
    
3. Click New on this page to connect the Practifi user with the Envestnet user.
   
   
    
4. Supply the following, if not already completed:
   • External System Definition - Named Credential
   • Named Credential - From the drop-down list, select the name of the Named Credential created previously.
   • User - The username of the logged-in user. Use the search tool icon to locate and select the user.
   • Authentication Protocol - OAuth 2.0
   • Start Authentication Flow on Save - Check this box
     
     
      
5. Once this information is completed, click Save.
6. Upon clicking Save, the system will take the user to an Envestnet log-in panel, where the user should log in and confirm their link to Envestnet through Practifi. Upon completion, the user is returned to the list of External Systems for which they have been authenticated to access.
7. Clicking Edit will verify that the Administration Authentication Status now reads as Authenticated. You can cancel from this view and start using the Envestnet Integration.
   
   

Data Field Mapping

The data mapped from Practifi to Envestnet relates to two principal Practifi concepts: Practifi Households and Practifi Contacts/Members. No other data elements are mapped back from Practifi to Envestnet.

Envestnet sends a single-line summary of each Proposal held in Envestnet for the Practifi Client, under the Financial Advice section in the Client record in Practifi, giving Advisors visibility into proposal status without leaving the client view.