Salesforce

User and group management

The Salesforce Connector links users and groups from the datastore to Salesforce. The behavior of each provisioning capability is described below.

Synchronizing existing users

The provisioning connector synchronizes users from the datastore to Salesforce based on the Username attribute.

To set up synchronization, use the SP Connection > Configure Channels > Channel > Attribute Mapping page to populate the Username attribute with a matching attribute from the datastore.

For example:

  • In Salesforce, Janet’s Username is jsmith@example.com.

  • In your datastore, Janet’s mail is jsmith@example.com.

  • On the Attribute Mapping page, you map the Username attribute to mail.

  • When the provisioning connector runs, the datastore user is provisioned with a Username of jsmith@example.com. That matches Janet’s existing Username in Salesforce, so her information in the datastore is synchronized to her Salesforce account.

User provisioning

Triggered by any of the following:

  • A user is added to the datastore group or filter that is targeted by the provisioning connector.

  • A user with "disabled" status is added to the datastore group or filter that is targeted by the provisioning connector, and the Provision disabled users provisioning option is enabled.

The target is determined by the Source Location page in the provisioning connector configuration.

User updates

Triggered when a change occurs to a user attribute that is mapped in the provisioning connector configuration.

User deprovisioning

Triggered by any of the following:

  • A user is deleted from the user store.

  • A user is disabled in the user store.

  • A user is removed from the datastore group or filter that is targeted by the provisioning connector.

The provisioning connector disables or freezes the user depending on whether Freeze users instead of disable is selected. Learn more in Provisioning options reference.

Synchronize existing groups

The provisioning connector synchronizes groups from the datastore to Salesforce based on the group name.

For example:

  • In Salesforce, there is a group named Accounting.

  • In your datastore, there is a group with a CN of Accounting.

  • When the provisioning connector runs, the two groups are synchronized.

Group provisioning

Triggered when a group is added to the datastore filter that is targeted by the provisioning connector.

The target is determined by the Source Location page in the provisioning connector configuration.

Group name updates

Renaming the group in the datastore triggers PingFederate to rename the group in Salesforce.

Group membership updates

Changing group memberships through the group’s properties or a user’s properties triggers PingFederate to update the group membership in Salesforce.

Group memberships in the datastore overwrites the group memberships in Salesforce.

Group deletion

Triggered by any of the following:

  • Deleting the group in the datastore triggers PingFederate to delete the group in Salesforce. Group deletions are permanent and can’t be undone.

  • The group is removed from the datastore group or filter that is targeted by the provisioning connector.