PingOne

Creating a Salesforce connection

Use a Salesforce connection to enable provisioning from PingOne to Salesforce.

Before you begin

Make sure you have:

  • An existing Salesforce account.

  • The full domain for the Salesforce account.

    You can find the domain in the URL when signed on to the account. For example, <myCompanyName>.my.salesforce.com.

  • The client ID and client secret for the connected application. Learn more in Create a Connected App in the Salesforce documentation.

  • The OAuth access token and refresh token for the connected application. Learn more in Getting an API access token from Salesforce in the Integrations documentation.

Steps

  1. In the PingOne admin console, go to Integrations > Provisioning.

  2. Click and then click New Connection.

  3. On the Identity Store line, click Select.

  4. On the Salesforce tile, click Select.Click Next.

  5. Enter a name and description for the provisioning connection.

    Result:

    The connection name appears in the provisioning list after you save the connection.

  6. Click Next.

  7. In the Configure Authentication section, enter the values for the following fields:

    Field Value

    Salesforce Domain

    The full domain for the Salesforce account.

    You can find the domain in the URL when signed on to the account. For example, <myCompanyName>.my.salesforce.com.

    Client ID

    The Consumer Key value from Salesforce for the connected application.

    Learn more in Create a Connected App in the Salesforce documentation.

    Client Secret

    The Consumer Secret value from Salesforce for the connected application.

    OAuth Access Token

    The access token from Salesforce for the connected application.

    You can use the Ping Identity OAuth Configuration Service (OCS) to get the token. For more information, see Getting an API access token from Salesforce in the Integrations documentation.

    OAuth Refresh Token

    The refresh token from Salesforce for the connected application.

  8. Click Test connection to verify that PingOne can establish a connection to Salesforce.

    Result:

    If there are any issues with the connection, a Test Connection Failed modal opens. Click Continue to resume the setup with an invalid connection.

    You can’t use the connection for provisioning until you’ve established a valid connection to Salesforce. To retry, click Cancel in the Test Connection Failed modal and repeat step 7.

    Troubleshooting:

    Learn more about troubleshooting your connection in T.

  9. In the Configure Preferences and Users Actions sections, configure the following:

    Field Description

    Permission Set Management

    Determines how to handle permission sets in the Salesforce identity store.

    Select Merge with permission sets in Salesforce or Overwrite permission sets in Salesforce. If you select Merge with permission sets in Salesforce and a permission set is added in the datastore, PingOne adds it to the user’s existing permission sets in Salesforce.

    PingOne doesn’t remove any permission sets added in Salesforce by other sources. If you select Overwrite permission sets in Salesforce, and a permission set is added or removed in the datastore, PingOne overwrites the user’s permission sets in Salesforce with those from the datastore.

    Enable users creation

    Determines whether to create a user in the target identity store when the user is created in the source identity store.

    Enable users updation

    Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.

    • Enable users disable: Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.

    • Action When Disabling Users: Determines the action to take when deprovisioning users from the Salesforce identity store.

      • Disable. When deprovisioning, PingOne disables the user. The user cannot sign on, and their data is not visible to other users in Salesforce.

      • Freeze. When deprovisioning, PingOne freezes a user. The frozen user cannot sign on, but the user’s data, such as profile and activity, is still visible to other users in Salesforce.

        Learn more in Freeze or Unfreeze User Accounts in the Salesforce documentation.

    Enable users deprovision

    Determines whether to deprovision users if the associated provisioning rule is deleted.

    • Remove Action: Determines whether to remove or disable a user in the target identity store when the user is deleted in the source identity store. Select Delete or Disable.

      Remove Action isn’t available for Salesforce.

    • Deprovision on rule deletion: Determines whether to deprovision users if the associated provisioning rule is deleted.

  10. Click Save.

  11. To enable the connection, click the toggle at the top of the details panel to the right (blue).

    You can disable the connection by clicking the toggle to the left (gray).

Result

The Salesforce provisioning connection is complete and added to the list of provisioning connections on the Provisioning page.

Next steps

Sync group members out of PingOne into a software as a service (SaaS) application. Learn more in Configuring outbound group provisioning.

Salesforce attribute mapping

The following table lists common Salesforce attributes that can be mapped for user provisioning.

You can find a complete list of Salesforce attributes in User in the Salesforce documentation.

Attribute Description

Active

The status of the user account in Salesforce.

Alias

The user’s short name used on list pages, reports, and other pages where the entire name doesn’t fit.

This value must be 8 characters or fewer.

Email

The user’s email address.

Language Locale Key

The user’s language.

Username

The user’s PingOne username and Salesforce sign-on.

This value must be in the format of an email address.

Email Encoding Key

The email encoding.

A default set of email encoding options is provided based on your Salesforce environment.

Last name

The user’s last name.

Locale Sid Key

The locale of the user.

A default set of options is provided based on your Salesforce environment.

Time Zone Sid Key

The user’s time zone.

A default set of options is provided based on your Salesforce environment.

Profile Id

The identifier associated with a user profile type in Salesforce.

The profile determines the type of user and some permissions.

Learn more in Profiles] in the Salesforce documentation.

First name

The user’s first name.

Attribute mapping for Salesforce, Salesforce Communities, and Salesforce Leads and Contacts provides an ability to make required attributes optional. This helps update existing users.

When adding attribute mapping in the PingOne admin console, click the Update checkbox to include the attribute mapping in updates. The email attribute mapping is checked by default and included in updates.