Provisioning connector

Allows PingFederate to manage users and groups in Salesforce based on changes in an external user data store. Includes a quick-connection template that helps you create a connection to Salesforce by pre-populating some configuration settings.

The provisioner allows you to enable the create, update, and disable capabilities independently, and customize other provisioning behaviors.


  • Manages users
    • Creates, updates, and disables users.
    • Allows you to enable the create, update, and disable capabilities independently.
    • Allows you to provision users with a "disabled" status.
    • Allows you to deprovision users with a "freeze" or "disable" action.
    • Allows you to merge or overwrite user permission sets.
  • Manages groups
    • Creates and deletes groups.
    • Updates group memberships.
  • Enables browser-based SSO initiated by the service provider (SP) or identity provider (IdP).
  • Pre-populates some connection settings with the included quick connection template.

Intended audience

This document is intended for PingFederate administrators.

If you need help during the setup process, see the following resources:

System requirements

  • PingFederate 8.0 or later
  • Administrator access to a Salesforce organization account. The account must have "View All Data" permissions. For more information about account permissions, see Enable OAuth Settings for API Integration in the Salesforce documentation.
  • To provision to Salesforce Communities, the communities feature must be enabled in Salesforce.
  • To allow PingFederate to make outbound connections to Salesforce, you might need to allow the following endpoint in your firewall: