--- title: Creating a Salesforce Communities connection description: You can set up provisioning in PingOne for a connection to a Salesforce Communities identity store. component: pingone page_id: pingone:integrations:p1_create_connection_salesforce_communities canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_create_connection_salesforce_communities.html revdate: June 4, 2025 page_aliases: ["p1_selsforce_communities_features.adoc", "p1_salesforce_communities_attribute_mapping.adoc", "p1_salesforce_communities_limitations.adoc"] section_ids: before-you-begin: Before you begin steps: Steps result: Result: result-2: Result: troubleshooting: Troubleshooting: result-3: Result next-steps: Next steps salesforce-communities-provisioning-features: Salesforce Communities provisioning features salesforce-communities-attribute-mapping: Salesforce Communities attribute mapping salesforce-communities-known-limitations: Salesforce Communities known limitations attributes: Attributes deprovisioning: Deprovisioning refresh-tokens: Refresh tokens salesforce-communities: Salesforce Communities group-provisioning: Group provisioning --- # Creating a Salesforce Communities connection You can set up provisioning for a connection to a Salesforce Communities identity store. ## Before you begin You should review the information about creating users and cloning community profiles in Salesforce Communities. Learn more in [Salesforce Community users](https://docs.pingidentity.com/integrations/salesforce/salesforce_provisioner/pf_salesforce_connector_salesforce_community_users.html) in the Integrations documentation. ## Steps 1. In the PingOne admin console, go to **Integrations > Provisioning**. 2. Click **[icon: plus, set=fa]**and then click **New Connection**. 3. On the **Identity Store** line, click **Select**. 4. On the **Salesforce Communities** tile, click **Select**. Click **Next**. 5. Enter a name and description for the provisioning connection. ### Result: The connection name appears in the provisioning list after you save the connection. 6. Click **Next**. 7. In the **Configure Authentication** section, enter the values for the following fields: | Field | Value | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Salesforce Domain** | The full domain for the Salesforce account. You can find the domain in the URL when signed on to the account. For example, \.my.salesforce.com. | | **Client ID** | The **Consumer Key** value from Salesforce for the connected application.Learn more in [Create a Connected App](https://help.salesforce.com/s/articleView?id=xcloud.connected_app_create.htm\&type=5) in the Salesforce documentation. | | **Client Secret** | The **Consumer Secret** value from Salesforce for the connected application. | | **OAuth Access Token** | The access token from Salesforce for the connected application. You can use the Ping Identity OAuth Configuration Service (OCS) to get the token. Learn more in Getting an API access token from Salesforce in the Integrations documentation. | | **OAuth Refresh Token** | The refresh token from Salesforce for the connected application. | 8. Click **Test Connection** to verify that PingOne can establish a connection to Salesforce Communities. ### Result: If there are any issues with the connection, a **Test Connection Failed** modal opens. Click **Next** to resume the setup with an invalid connection. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can't use the connection for provisioning until you've established a valid connection to Salesforce Communities. To retry, click **Cancel** in the **Test Connection Failed** modal and repeat step 7. | ### Troubleshooting: Learn more about troubleshooting your connection in [Troubleshooting test connection failure](p1_provisioning_troubleshooting_test_connection_failure.html). 9. In the **Configure Preferences** and **Users Actions** sections, configure the following: | Field | Description | | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Permission Set Management** | Determines how to handle permission sets in the Salesforce Communities identity store.Select **Merge with permission sets in Salesforce** or **Overwrite permission sets in Salesforce**. If you select **Merge with permission sets in Salesforce**, and a permission set is added in the datastore, PingOne adds it to the user's existing permission sets in Salesforce Communities. PingOne doesn't remove any permission sets added in Salesforce Communities by other sources. If you select Overwrite permission sets in Salesforce, and a permission set is added or removed in the datastore, PingOne overwrites the user's permission sets in Salesforce Communities with those from the datastore. | | **Enable users creation** | Determines whether to create a user in the target identity store when the user is created in the source identity store. | | **Enable users updation** | Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.- **Enable users disable**: Determines whether to disable a user in the target identity store when the user is disabled in the source identity store. - **Action When Disabling Users**: Determines the action to take when deprovisioning users from the Salesforce identity store. * **Disable**. When deprovisioning, PingOne disables the user. The user cannot sign on, and their data is not visible to other users in Salesforce. * **Freeze**. When deprovisioning, PingOne freezes a user. The frozen user cannot sign on, but the user's data, such as profile and activity, is still visible to other users in Salesforce. Learn more in [Freeze or Unfreeze User Accounts](https://help.salesforce.com/articleView?id=users_freeze.htm\&type=0&_ga=2.190103979.1464478938.1644250301-1378292420.1540314953) in the Salesforce documentation. | | **Enable users deprovision** | Determines whether to deprovision users if the associated provisioning rule is deleted.- **Remove Action**: Determines whether to remove or disable a user in the target identity store when the user is deleted in the source identity store. Select **Delete** or **Disable**. Remove Action isn't available for Salesforce. - **Deprovision on rule deletion**: Determines whether to deprovision users if the associated provisioning rule is deleted. | 10. Click **Save**. 11. To enable the connection, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------------- | | | You can disable the connection by clicking the toggle to the left (gray). | ## Result The Salesforce Communities provisioning connection is complete and added to the list of provisioning connections on the **Provisioning** page. ## Next steps Sync group members out of PingOne into a software as a service (SaaS) application. Learn more in [Configuring outbound group provisioning](p1_provisioning_configuring_outbound_group_provisioning.html). ## Salesforce Communities provisioning features The Salesforce Communities provisioner offers the following features. Provision users from the PingOne identity store to Salesforce Communities: * Create users * Update users * Deprovision users Customize provisioning options: * Deprovision users with a freeze or disable action * Provision disabled users * Merge or overwrite permission sets Group provisioning * Sync a group and its members from PingOne to Salesforce Community. ## Salesforce Communities attribute mapping The following table lists common Salesforce Communities attributes that can be mapped for user provisioning. You can find a complete list of Salesforce attributes in [User](https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_user.htm) in the Salesforce documentation. | Attribute | Description | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Account Id** | The identifier associated with a company in Salesforce Communities. This field is required for Salesforce Communities users when provisioning customer and partner users. | | **Alias** | The user's short name used on list pages, reports, and other pages where the entire name doesn't fit. This value must be 8 characters or fewer. | | **Email** | The user's email address. | | **Email Encoding Key** | The email encoding. A default set of email encoding options is provided based on your Salesforce environment. | | **First name** | The user's first name. | | **IsActive** | The status of the user account in Salesforce Communities. | | **Language Locale Key** | The user's language. | | **Last name** | The user's last name. | | **Locale Sid Key** | The locale of the user. A default set of options is provided based on your Salesforce environment. | | **Profile Id** | The identifier associated with a user profile type in Salesforce. The profile determines the type of user and some permissions.Learn more in [Profiles](https://help.salesforce.com/articleView?id=admin_userprofiles.htm\&type=5) in the Salesforce documentation. | | **Time Zone Sid Key** | The user's time zone. A default set of options is provided based on your Salesforce environment. | | **Username** | The user's username and Salesforce sign-on. This value must be in the format of an email address. | | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Attribute mapping for Salesforce, Salesforce Communities, and Salesforce Leads and Contacts provides an ability to make required attributes optional. This helps update existing users.When adding attribute mapping in the PingOne admin console, click the **Update** checkbox to include the attribute mapping in updates. The email attribute mapping is checked by default and included in updates. | ## Salesforce Communities known limitations The following are known issues and limitations with Salesforce Communities user provisioning. ### Attributes * The provisioner cannot clear user attributes after they have been set. * Multi-attribute values are not supported. ### Deprovisioning * When deprovisioning a Salesforce customer or partner user, the provisioning connector does not unlink the user from the associated contact. * If a customer or partner user is unlinked in Salesforce from the associated contact, any changes to the user in the data store causes the provisioning connector to create a new user in Salesforce and link it to the existing contact. * Guest users in Salesforce cannot be frozen. If **Freeze Users** instead of **Disable** is selected in your provisioning options, the guest user will not be disabled or frozen. ### Refresh tokens * Refresh token policy must be set to **Refresh token is valid until revoked** for OAuth because expiring refresh tokens are not supported. ### Salesforce Communities * The provisioner can link users to `customer` and `partner` business accounts, but not `person` accounts. For more information, see the [Accounts](https://help.salesforce.com/articleView?id=accounts.htm\&type=5) page in the Salesforce documentation. ### Group provisioning * Syncing memberships is not supported for Salesforce Community. Admins can set up group provisioning on Salesforce communities to sync only groups from PingOne.