Identity Connect provides Active Directory (AD) integration, so users can log in with AD credentials and connect to Salesforce using Single Sign-On. Changes made to AD are automatically synchronized with Salesforce, simplifying lifecycle management when AD is the source of identity information.
Identity Connect is a Salesforce Identity product that helps Salesforce admins apply all the data collected in AD to automate Salesforce user management. It syncs changes in AD within seconds.
Synchronize Salesforce with Active Directory
With Identity Connect, you can manage Salesforce users by relying on the data already entered in AD. Identity Connect constantly monitors AD and updates Salesforce when changes in AD occur. Syncing can occur in near real time, on a regular schedule, or both.
When Identity Connect detects differences between AD and Salesforce, it updates Salesforce with the information in AD. Data transfer is in one direction and AD is the source of truth. Identity Connect never changes information that's stored in AD. Note-If you change the user in Salesforce, the Salesforce changes go away with the next sync. Nothing to worry about, though. You can tell Identity Connect not to update certain fields if you want to manage them in Salesforce.
Identity Connect feature
Identity Connect is designed to work with multiple Salesforce orgs. You can set up Identity Connect to manage all these orgs simultaneously. Each org has its own Identity Connect mapping so you can control the user’s attributes and entitlements separately for each org.
Identity Connect is on-premises software that sits behind your firewall and pushes data to Salesforce.Most companies use firewalls to control inbound connections coming from outside their corporate network while allowing outbound traffic. That is, you can access the Internet from the office, but you’re required to be on a VPN to access internal resources from your home or coffee shop. The demilitarized zone (DMZ) is a subnetwork that separates your internal network from other untrusted networks, like the Internet. But it’s still on-premises, within the corporate network. Instead of installing Identity Connect behind the firewall, you can install it in the DMZ.
You can set up Identity Connect to manage multiple production orgs. And you can set up Identity Connect to manage multiple non-production orgs. But you can’t mix production and sandbox orgs in one Identity Connect environment.
For user provisioning, Identity Connect connects with Salesforce over REST APIs to validate and update user settings. These read and write operations count against the org’s API limits.
Live Updates Identity Connect monitors AD and updates Salesforce as changes occur. It’s not a full comparison of everything in both systems, though. So if either the Identity Connect or the primary AD server goes offline, it’s possible to miss AD changes that occurred during that time. Some changes might not propagate to Salesforce when the system comes back on line. That's where Scheduled Updates comes in. Schedule Updates Identity Connect makes a full comparison between AD and Salesforce. It collects all user and group information from AD and Salesforce and compares all the data. If any differences exist, Identity Connect updates Salesforce with the data from AD.
Salesforce recommends using Schedule Updates at most once per day. Most customers run Schedule Updates every night or every weekend. Even though the mechanism ensures that the data is in sync, Scheduled Updates consume more resources—including API calls. Live Updates has less impact on API limits because Identity Connect connects to Salesforce only when it detects changes to user settings in AD.
Disable Salesforce passwords to ensure that your users log in to Salesforce with their AD credentials. Without a Salesforce password, users can never bypass Identity Connect when logging in. Disabling Salesforce passwords is also a big win for reducing compliance overhead. Set your password strength requirements in AD and force all users to use that password. Then you can simply test AD password strength to demonstrate compliance. Note-To disable passwords, Salesforce Support must enable Delegated Authentication. Then you can set Is Single Sign-On Enabled on the profile of users who won’t have a Salesforce password.
Report-From the Identity Connect console, you can generate different types of reports for different stages. Run a reconciliation report before syncing. It reports how many users in Salesforce don’t map to AD.After a sync, run a synchronization report to troubleshoot failed sync operations. It lists all the synchronization operations that occurred, along with the date, number of records synced, and number of records that failed to sync.Run a User Activity report to see which users succeeded and which users failed to log in to Identity Connect.
Deploy an Identity Connect cluster of multiple servers to ensure Identity Connect works even when one server goes down. This way, you can make sure Identity Connect is always available on your network.If your primary server goes down, the backup servers can still handle requests. This is called a high-availability cluster.
Identity Connect Benefit
Provision Users
With Identity Connect, you can quickly set up users with Salesforce.
Provisioning users manually is error-prone and time-consuming. By using Identity Connect to automatically onboard (and offboard) users, you streamline the process of creating users and managing their access to apps and data. Instead of duplicating the effort to create users and set up permissions, use the information that's already stored in AD.
Single Sign-On (SSO)
You can set up single sign-on (SSO) with Identity Connect so that users can access Salesforce with their AD credentials.
When users are added to AD, they can access Salesforce with the same username and password they use for AD.
Users don't need to remember an extra username and password. You don't have to manage separate user credentials in Salesforce.
Assign Salesforce Permissions
In AD, users are granted permissions using AD Groups. In Salesforce, we use profiles, permission sets, roles, and public groups. With Identity Connect, you can map permissions in AD to permissions in Salesforce.
When users are added to or removed from a group in AD, they’re automatically added or removed from the mapped profiles, permission sets, roles, and public groups in Salesforce.
To assign Salesforce permissions from AD, choose which AD groups correspond to Salesforce permissions. AD Group can control below items through Identity connect.
Profile Mapping
Role Mapping
Permission set Mapping
Public group
No comments:
Post a Comment