Converted contacts and leads

When a Contact record is converted to a User in Salesforce:

  • The Salesforce Contacts Connector can continue to update the Contact record, but changes are not reflected in the new User record.
  • The Salesforce Contacts Connector cannot delete the Contact record. Instead, it shows the following error.
    [{"message":"Your attempt
    to delete jsmith could not be completed because it is associated with
    the following portal users.:\n","errorCode":"DELETE_FAILED","fields":[]}]

When a Lead record is converted to another record type in Salesforce:

  • The Salesforce Contacts Connector can still delete the Lead record, but cannot update it. Instead, it shows the following error.
    "[{"message":"cannot reference converted lead",
    "errorCode":"CANNOT_UPDATE_CONVERTED_LEAD", "fields":[]}]"
  • If the Lead record is deleted from your data store but not deleted from Salesforce, and a new Lead is created in the directory with the same email address, the synchronization fails with the message above.


The provisioning connector cannot clear user attributes after they have been set.


Adding a new certificate to PingFederate’s trusted certificate authority (CA) store for use in a secure LDAP (or LDAPS) connection requires a server restart when a secure LDAP connection has already been attempted or established.


After deleting an LDAP user account, the provisioner doesn't remove the user in the next provisioning cycle when Group DN is specified until a new user is added to the targeted group. This limitation is compounded when the User Create provisioning option is disabled. For more details, see SaaS provisioner does not remove the user when Group DN is specified in the Ping Identity Knowledge Base.


The Salesforce Connector dynamically retrieves data from the customer’s Salesforce instance. Depending on your Salesforce environment, this could cause some delays when you create a provisioning connection to Salesforce.

Refresh tokens

The refresh token policy must be set to Refresh token is valid until revoked for OAuth because expiring refresh tokens are not supported.