Creating a Salesforce Leads and Contacts connection
You can set up provisioning for a connection to a Salesforce Contacts identity store.
About this task
You can provision PingOne identities as Salesforce Leads, Contacts, or Users. You can also promote or demote identities from one group to another. Learn more in Manage Leads and Contacts.
Steps
-
In the PingOne admin console, go to Integrations > Provisioning.
-
Click and then click New Connection.
-
On the Identity Store line, click Select.
-
On the Salesforce Leads and Contacts tile, click Select. Click Next.
-
Enter a name and description for the provisioning connection.
Result:
The connection name appears in the provisioning list after you save the connection.
-
Click Next.
-
In the Configure Authentication section, enter the values for the following fields:
Field Value Salesforce Domain
The full domain for the Salesforce account. You can find the domain in the URL when logged into the account. For example,
myCompanyName.my.salesforce.com
.Client ID
The Consumer Key from Salesforce for the connected application. Learn more in see Create a Connected App in the Salesforce documentation.
Client Secret
The Consumer Secret from Salesforce for the connected application.
OAuth Access Token
The access token from Salesforce for the connected application. You can use the Ping Identity OAuth Configuration Service (OCS) to get the token. Learn more in Getting an API access token from Salesforce in the Integrations documentation.
OAuth Refresh Token
The refresh token from Salesforce for the connected application.
-
Click Test connection to verify that PingOne can establish a connection to Salesforce Leads and Contacts.
Result:
If there are any issues with the connection, a Test Connection Failed modal opens. Click Next to resume the setup with an invalid connection.
You can’t use the connection for provisioning until you’ve established a valid connection to Salesforce Leads and Contacts. To retry, click Cancel in the Test Connection Failed modal and repeat step 7.
Troubleshooting:
Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.
-
In the Configure Preferences and Actions sections, configure the following:
Field Description Record Type
Allow Records to be Deleted
Determines whether to delete a user in the target identity store when the user is deleted in the source identity store.
Allow Users to be Created
Determines whether to create a user in the target identity store when the user is created in the source identity store.
Allow Users to be Updated
Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.
Allow Users to be Disabled
Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.
Allow Users to be Deprovisioned
Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.
Remove Action
The action to take when removing a user from the target identity store.
Deprovision on Rule Deletion
Determines whether to deprovision users if the associated provisioning rule is deleted.
-
Click Save.
-
To enable the connection, click the toggle at the top of the details panel to the right (blue).
You can disable the connection by clicking the toggle to the left (gray).
Result
The Salesforce Contacts provisioning connection is complete and added to the list of provisioning connections on the Provisioning page. If you see errors related to Salesforce provisioning, check for sync failures. Learn more in Viewing sync status.
Next steps
Define which users are provisioned and how attributes are mapped between PingOne and an external identity store. Learn more in Creating an outbound rule.
Salesforce Contacts provisioning features
The Salesforce Contacts provisioner offers the following features.
-
Manage Leads and Contacts in Salesforce based on changes in an external datastore
-
Enable the create, update, and delete capabilities independently
Manage Leads and Contacts
The provisioning connector synchronizes users from the PingOne datastore to Salesforce based on the Email
attribute.
When you configure the attribute mappings in your service provider connection, you can set up synchronization by populating the Email
attribute with a matching attribute from the datastore.
For example:
-
In Salesforce, Janet’s
Email
isjsmith@example.com
. -
In your datastore, Janet’s
mail
isjsmith@example.com
. -
On the Attribute Mapping page, you map the
Email
attribute tomail
. -
When the provisioning connector runs, the datastore user is provisioned with an
Email
ofjsmith@example.com
. This matches Janet’s existingEmail
in Salesforce, so her information in the datastore is synchronized to her Salesforce account.
Lead and Contact record provisioning
Provisioning is triggered by any of the following:
-
A user is added to the datastore group or filter that is targeted by the provisioning connector.
The target is determined in the provisioning connector configuration.
Salesforce Contacts attribute mapping
The following lists common attributes that can be mapped for provisioning to a Salesforce Contacts user store.
You can find a complete list of Salesforce attributes in User in the Salesforce documentation.
Attribute | Description | ||
---|---|---|---|
Alias |
The user’s short name used on list pages, reports, and other pages where the entire name does not fit.
|
||
The user’s email address. |
|||
Email Encoding Key |
The email encoding. A default set of email encoding options is provided based on your Salesforce environment. |
||
First name |
The user’s first name. |
||
IsActive |
The status of the user account in Salesforce Contacts. |
||
Language Locale Key |
The user’s language. |
||
Last name |
The user’s last name. |
||
Locale Sid Key |
The locale of the user. A default set of options is provided based on your Salesforce environment. |
||
Time Zone Sid Key |
The user’s time zone. A default set of options is provided based on your Salesforce environment. |
||
Username |
The user’s username and Salesforce sign-on.
|
Attribute mapping for Salesforce, Salesforce Communities, and Salesforce Leads and Contacts provides an ability to make required attributes optional on update, this helps update existing users. When adding attribute mapping in the PingOne admin console, click the Update checkbox to include the attribute mapping in updates. The email attribute mapping is checked by default and included in updates. |
Salesforce Contacts known limitations
The following are known issues and limitations with Salesforce Contacts user provisioning.
Converted contacts and leads
When a Contact record is converted to a User in Salesforce:
-
The Salesforce Contacts Connector can continue to update the Contact record, but changes are not reflected in the new User record.
-
The Salesforce Contacts Connector cannot delete the Contact record. Instead, it shows the following error.
[{"message":"Your attempt to delete jsmith could not be completed because it is associated with the following portal users.: jsmith@example.com\n","errorCode":"DELETE_FAILED","fields":[]}]
When a Lead record is converted to another record type in Salesforce:
-
The Salesforce Contacts Connector can still delete the Lead record, but cannot update it. Instead, it shows the following error.
"[{"message":"cannot reference converted lead", "errorCode":"CANNOT_UPDATE_CONVERTED_LEAD", "fields":[]}]"
-
If the Lead record is deleted from your data store but not deleted from Salesforce, and a new Lead is created in the directory with the same email address, the synchronization fails with the message above.
Certificates
Adding a new certificate to PingFederate’s trusted certificate authority (CA) store for use in a secure LDAP (or LDAPS) connection requires a server restart when a secure LDAP connection has already been attempted or established.
Deprovisioning
After deleting an LDAP user account, the provisioner doesn’t remove the user in the next provisioning cycle when Group DN is specified until a new user is added to the targeted group. This limitation is compounded when the User Create provisioning option is disabled. For more details, see SaaS provisioner does not remove the user when Group DN is specified in the Ping Identity Knowledge Base.