PingOne

Creating a Salesforce Leads and Contacts connection

You can set up provisioning for a connection to a Salesforce Contacts identity store.

About this task

You can provision PingOne identities as Salesforce Leads, Contacts, or Users. You can also promote or demote identities from one group to another. Learn more in Manage Leads and Contacts.

Steps

  1. In the PingOne admin console, go to Integrations > Provisioning.

  2. Click and then click New Connection.

  3. On the Identity Store line, click Select.

  4. On the Salesforce Leads and Contacts tile, click Select. Click Next.

  5. Enter a name and description for the provisioning connection.

    Result:

    The connection name appears in the provisioning list after you save the connection.

  6. Click Next.

  7. In the Configure Authentication section, enter the values for the following fields:

    Field Value

    Salesforce Domain

    The full domain for the Salesforce account. You can find the domain in the URL when logged into the account. For example, myCompanyName.my.salesforce.com.

    Client ID

    The Consumer Key from Salesforce for the connected application. Learn more in see Create a Connected App in the Salesforce documentation.

    Client Secret

    The Consumer Secret from Salesforce for the connected application.

    OAuth Access Token

    The access token from Salesforce for the connected application. You can use the Ping Identity OAuth Configuration Service (OCS) to get the token. Learn more in Getting an API access token from Salesforce in the Integrations documentation.

    OAuth Refresh Token

    The refresh token from Salesforce for the connected application.

  8. Click Test connection to verify that PingOne can establish a connection to Salesforce Leads and Contacts.

    Result:

    If there are any issues with the connection, a Test Connection Failed modal opens. Click Next to resume the setup with an invalid connection.

    You can’t use the connection for provisioning until you’ve established a valid connection to Salesforce Leads and Contacts. To retry, click Cancel in the Test Connection Failed modal and repeat step 7.

    Troubleshooting:

    Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.

  9. In the Configure Preferences and Actions sections, configure the following:

    Field Description

    Record Type

    Specify the type of Salesforce Contact to create: Contact or Lead. Learn more in Leads and Contacts in the Salesforce documentation.

    Allow Records to be Deleted

    Determines whether to delete a user in the target identity store when the user is deleted in the source identity store.

    Allow Users to be Created

    Determines whether to create a user in the target identity store when the user is created in the source identity store.

    Allow Users to be Updated

    Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.

    Allow Users to be Disabled

    Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.

    Allow Users to be Deprovisioned

    Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.

    Remove Action

    The action to take when removing a user from the target identity store.

    Deprovision on Rule Deletion

    Determines whether to deprovision users if the associated provisioning rule is deleted.

  10. Click Save.

  11. To enable the connection, click the toggle at the top of the details panel to the right (blue).

    You can disable the connection by clicking the toggle to the left (gray).

Result

The Salesforce Contacts provisioning connection is complete and added to the list of provisioning connections on the Provisioning page. If you see errors related to Salesforce provisioning, check for sync failures. Learn more in Viewing sync status.

Next steps

Define which users are provisioned and how attributes are mapped between PingOne and an external identity store. Learn more in Creating an outbound rule.

Salesforce Contacts provisioning features

The Salesforce Contacts provisioner offers the following features.

  • Manage Leads and Contacts in Salesforce based on changes in an external datastore

  • Enable the create, update, and delete capabilities independently

Manage Leads and Contacts

The provisioning connector synchronizes users from the PingOne datastore to Salesforce based on the Email attribute.

When you configure the attribute mappings in your service provider connection, you can set up synchronization by populating the Email attribute with a matching attribute from the datastore.

For example:

  • In Salesforce, Janet’s Email is jsmith@example.com.

  • In your datastore, Janet’s mail is jsmith@example.com.

  • On the Attribute Mapping page, you map the Email attribute to mail.

  • When the provisioning connector runs, the datastore user is provisioned with an Email of jsmith@example.com. This matches Janet’s existing Email in Salesforce, so her information in the datastore is synchronized to her Salesforce account.

Lead and Contact record provisioning

Provisioning is triggered by any of the following:

  • A user is added to the datastore group or filter that is targeted by the provisioning connector.

The target is determined in the provisioning connector configuration.

Lead and Contact record updates

Provisioning is triggered when a change occurs to a user attribute that is mapped in the provisioning connector configuration.

Lead and Contact record deprovisioning

Deletion is triggered by any of the following:

  • A user is deleted from the user store.

  • A user is disabled in the user store.

  • A user is removed from the datastore group or filter that is targeted by the provisioning connector.

Salesforce Contacts attribute mapping

The following lists common attributes that can be mapped for provisioning to a Salesforce Contacts user store.

You can find a complete list of Salesforce attributes in User in the Salesforce documentation.

Attribute Description

Alias

The user’s short name used on list pages, reports, and other pages where the entire name does not fit.

This value must be 8 characters or fewer.

Email

The user’s email address.

Email Encoding Key

The email encoding. A default set of email encoding options is provided based on your Salesforce environment.

First name

The user’s first name.

IsActive

The status of the user account in Salesforce Contacts.

Language Locale Key

The user’s language.

Last name

The user’s last name.

Locale Sid Key

The locale of the user. A default set of options is provided based on your Salesforce environment.

Time Zone Sid Key

The user’s time zone. A default set of options is provided based on your Salesforce environment.

Username

The user’s username and Salesforce sign-on.

This value must be in the format of an email address.

Attribute mapping for Salesforce, Salesforce Communities, and Salesforce Leads and Contacts provides an ability to make required attributes optional on update, this helps update existing users.

When adding attribute mapping in the PingOne admin console, click the Update checkbox to include the attribute mapping in updates. The email attribute mapping is checked by default and included in updates.

Salesforce Contacts known limitations

The following are known issues and limitations with Salesforce Contacts user provisioning.

Converted contacts and leads

When a Contact record is converted to a User in Salesforce:

  • The Salesforce Contacts Connector can continue to update the Contact record, but changes are not reflected in the new User record.

  • The Salesforce Contacts Connector cannot delete the Contact record. Instead, it shows the following error.

    [{"message":"Your attempt
to delete jsmith could not be completed because it is associated with
the following portal users.: jsmith@example.com\n","errorCode":"DELETE_FAILED","fields":[]}]

When a Lead record is converted to another record type in Salesforce:

  • The Salesforce Contacts Connector can still delete the Lead record, but cannot update it. Instead, it shows the following error.

    "[{"message":"cannot reference converted lead",
"errorCode":"CANNOT_UPDATE_CONVERTED_LEAD", "fields":[]}]"

  • If the Lead record is deleted from your data store but not deleted from Salesforce, and a new Lead is created in the directory with the same email address, the synchronization fails with the message above.

Attributes

The provisioning connector cannot clear user attributes after they have been set.

Certificates

Adding a new certificate to PingFederate’s trusted certificate authority (CA) store for use in a secure LDAP (or LDAPS) connection requires a server restart when a secure LDAP connection has already been attempted or established.

Deprovisioning

After deleting an LDAP user account, the provisioner doesn’t remove the user in the next provisioning cycle when Group DN is specified until a new user is added to the targeted group. This limitation is compounded when the User Create provisioning option is disabled. For more details, see SaaS provisioner does not remove the user when Group DN is specified in the Ping Identity Knowledge Base.

Performance

The Salesforce Connector dynamically retrieves data from the customer’s Salesforce instance. Depending on your Salesforce environment, this could cause some delays when you create a provisioning connection to Salesforce.

Refresh tokens

The refresh token policy must be set to Refresh token is valid until revoked for OAuth because expiring refresh tokens are not supported.