You can provision PingOne identities as Salesforce Leads, Contacts, or Users. You can also promote or demote identities from one group to another. For more information, see Manage Leads and Contacts.

  1. Go to Integrations > Provisioning.
  2. Click + and then click New connection.
  3. For Identity Store, click the Select button.
  4. Under Salesforce Leads and Contacts, click Select, and then click Next.
  5. Enter a name and description for this provisioning connection. The connection name will appear in the list when you've completed and saved the connection.
  6. Click Next.
  7. On the Configure authentication screen, enter the following:
    • Salesforce domain. The full domain for the Salesforce account. You can find the domain in the URL when logged into the account. For example, myCompanyName.my.salesforce.com.
    • Client ID. The Consumer Key from Salesforce for the connected application. For more information, see Create a Connected App in the Salesforce documentation.
    • Client secret. The Consumer Secret from Salesforce for the connected application.
    • OAuth access token. The access token from Salesforce for the connected application. You can use the Ping Identity OAuth Configuration Service (OCS) to get the token. For more information, see Getting an API access token from Salesforce.
    • OAuth refresh token. The refresh token from Salesforce for the connected application.
  8. Click Test connection to verify that PingOne can establish a connection to Salesforce Leads and Contacts.

    If there are any issues with the connection, a Test Connection Failed dialog box opens. Click Continue to resume the setup with an invalid connection.

    Important:

    You cannot use the connection for provisioning until you have established a valid connection to Salesforce Leads and Contacts. To retry, click Cancel in the Test Connection Failed dialog box and repeat step 7.

    Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.
  9. On the Configure preferences screen, enter the following:
    • Record type. Specify the type of Salesforce Contact to create: Contact or Lead. For more information, see Leads and Contacts in the Salesforce documentation.
    • Allow records to be deleted. Determines whether to delete a user in the target identity store when the user is deleted in the source identity store.
    • Allow users to be created. Determines whether to create a user in the target identity store when the user is created in the source identity store.
    • Allow users to be updated. Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.
    • Allow users to be disabled. Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.
    • Allow users to be deprovisioned. Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.
    • Remove action. The action to take when removing a user from the target identity store.
    • Deprovision on rule deletion. Determines whether to deprovision users if the associated provisioning rule is deleted.
  10. Click Finish.

The Salesforce Contacts provisioning connection is complete and is added to the list of provisioning connections on the Provisioning page. If you see errors related to Salesforce provisioning, check for sync failures. See Viewing sync status.

To define which users are provisioned and how attributes are mapped between PingOne and an external identity store, follow the instructions in Creating an outbound rule.