Page created: 24 Jul 2019 |
Page updated: 8 Feb 2022
The following are known issues or limitations with the Salesforce Connector.
- In PingFederate 9.3 and earlier, PingFederate provisions users as groups, creating unwanted groups. PingFederate also tries to provision groups as users, resulting in error log messages. This only impacts configurations where both group provisioning is enabled and the data store is Oracle Directory or PingDirectory.
- The provisioning connector cannot clear user attributes once they have been set.
- Adding a new certificate to PingFederate’s trusted CA store for use in a secure LDAP (or LDAPS) connection requires a server restart, when a secure LDAP connection has already been attempted or established.
- When deprovisioning a Salesforce customer or partner user, the provisioning connector does not unlink the user from the associated contact.
- If a customer or partner user is unlinked in Salesforce from the associated contact, any changes to the user in the data store will cause the provisioning connector to create a new user in Salesforce and link it to the existing contact.
- Guest users in Salesforce cannot be frozen. If Freeze users instead of disable is selected in your provisioning options, the guest user will not be disabled or frozen.
- After deleting an LDAP user account, the provisioner does not remove the user in the next provisioning cycle when Group DN is specified, until a new user is added to the targeted group. This limitation is compounded when the User Create provisioning option is disabled. For more details, see SaaS provisioner does not remove the user when Group DN is specified in the Ping Identity Knowledge Base.
- Group synchronization is based on group name. If multiple groups have the same name, the provisioner syncs to the group that is returned first.
- The Salesforce Provisioner dynamically retrieves data from your Salesforce instance. Depending on your Salesforce environment, this could cause a delay when you create an SP connection to Salesforce.
- If multiple PingFederate administrators are creating connections to Salesforce at the same time, the attribute mapping screen may not show attributes from Salesforce correctly.
- Refresh tokens
- Refresh token policy must be set to Refresh token is valid until revoked for OAuth as expiring refresh tokens are not supported.
- Salesforce Communities
- The provisioner can link users to "customer" and "partner" business accounts, but not "person" accounts. See Accounts in the Salesforce documentation.