Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Composite App entry
How-to guide

How to plan and ship a Composite App

Building a Composite App means picking an integration pattern for each external piece, wiring identity, and choosing where each capability runs. The technical work is straightforward; the design work decides whether you ship in three months or eighteen.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 20, 2026

Building a Composite App means picking an integration pattern for each external piece, wiring identity, and choosing where each capability runs. The technical work is straightforward; the design work decides whether you ship in three months or eighteen.

  1. Catalog the capabilities and where each one runs best

    List the screens and the business capabilities behind them. Mark each as native (fits Salesforce platform), external (better off-platform), or shared (needs both). This is the inventory the rest of the design works from.

  2. Pick the integration pattern for each external capability

    For UI embedding, Canvas or an iframe. For API calls from Salesforce to external, External Services or Apex Callout. For external calling back into Salesforce, REST API or Streaming API. For data mirroring, Heroku Connect or a custom ETL.

  3. Set up identity and SSO

    Configure Salesforce as an Identity Provider (or as a relying party if you have an external IdP). Issue OAuth scopes for the external app. For Canvas, register the Canvas App in Setup and configure the signed request keys.

  4. Build the integration surfaces

    Develop the LWCs that embed external apps through Canvas. Generate External Services Apex actions from the OpenAPI specs. Stand up Heroku apps with Heroku Connect mappings. Test each integration in isolation before stitching together.

  5. Wire the unified UI

    On the Salesforce side, assemble Lightning App Pages that drop in the LWCs alongside native components. On the external side, use Lightning Out to embed native components in external pages. The user should not be able to tell where one ends and the other begins.

  6. Test for failure modes

    Composite Apps fail in ways native apps never do. Test what happens when the external service is down (graceful degradation, not a broken page), when SSO tokens expire mid-session, when Heroku Connect sync lags, and when an external endpoint changes its OpenAPI spec.

Gotchas
  • Composite Apps double the operational surface area. You need monitoring for both Salesforce and the external pieces, plus the integration in between.
  • Salesforce session timeouts and external session timeouts are independent. A user can be logged into one and out of the other without realizing it.
  • Canvas requires a signed request and HTTPS on the external app. Localhost development needs a tunneling tool like ngrok.
  • External Services has a 2MB request and response limit. Bulk operations need a different pattern (Bulk API, Heroku Connect, or async messaging).
  • Heroku Connect sync is not real-time; default sync intervals are 10 minutes. Plan UI patterns around eventual consistency, not strong consistency.

See the full Composite App entry

Composite App includes the definition, worked example, deep dive, related terms, and a quiz.