Skip to main content

Salesforce

This procedure describes how to integrate Salesforce for user provisioning.

warning

The procedures documented use Salesforce Lightning. The procedures may vary if you are using Salesforce Classic.

Step 1: Complete the prerequisites

  1. The Salesforce provisioner template contains the IDaaS user attributes that must be mapped to the Salesforce attributes required for provisioning. If you use custom attributes in Salesforce, you need to create custom IDaaS user attributes that are mapped to the custom attributes in Salesforce. Create any required custom user attributes. See Create and manage user attributes.

    info

    Entrust recommends that you create a custom user attribute that contains the Salesforce username to enable SCIM mapping.

  2. Identify the IDaaS users that need to be provisioned. In IDaaS, you select the users for provisioning using the Group option. If necessary, create the required groups and add the users to those groups. By default, provisioning selects all IDaaS users if no groups are selected. See Create and manage groups and Import groups.

  3. Copy the Redirect URI from IDaaS. You need this for Step 2: Create an app in Salesforce for user provisioning. To do this:

    1. Open a Web browser.
    2. Log in to IDaaS.
    3. Click > Resources > Provisioners. The Provisioners List page appears.
    4. Click and select Salesforce from the drop-down list. The Add Provisioner page appears.
    5. Scroll to Redirect URI.
    6. You can leave the Add Provisioner page open because you need to access it in Step 5: Add the provisioner to IDaaS.

  4. Create an app in Salesforce for user provisioning.

  5. Open a text editor such as Notepad and copy and save the following information from your Salesforce app:

    • Tenant URL
    • Token value
    • SCIM endpoints

Step 2: Create an app in Salesforce service for user provisioning

  1. Log in to your Salesforce account.
  2. Click > Setup. The Setup panel appears.
  3. Under Platform Tools, click Apps > App Manager. The Lightning Experience App Manager page appears.
  4. Click New Connected App. The App Manager Setup page appears.
  5. Enter the following Basic Information:
    1. Connected App Name
    2. API Name
    3. Contact Email
    4. Optional information:
      • Logo image URL
      • Icon URL
      • Info URL
      • Description
  6. Under API Enable OAuth Settings, complete the following:
    1. Select Enable OAuth Settings.
    2. In the Callback URL field, enter the Redirect URI.

      Example: https://<tenantname>.<locale>.trustedauth.com/api/web/v1/oauth/scim/redirect

      where <tenantname.locale> is your IDaaS tenant name and locale, for example, mycompany.us.

    3. Ensure that the following appear in the Selected OAuth Scopes:
      1. Manage user data via APIs (api)
      2. Perform requests at any time (refresh_token, offline_access)
    4. Disable Require Proof Key for Code Exchange (PKCE) Extension for Authorization Flows.
    5. Select Require Secret for Web Server Flow.
    6. Select Require Secret for Refresh Token Flow.
    7. Optional. Select Configure ID Token.
  7. Click Save. It can take a few minutes for your app to be created.

Step 3: Enable the Salesforce app for user provisioning

  1. In Salesforce, go to Platform Tools > Apps > Connected Apps > Manage Connected Apps. The Manage Connected Apps page appears.

  2. Click Edit next to your app name. The Setup page appears.

  3. Under OAuth Policies, ensure that the Refresh Token Policy is set to Refresh token is valid until revoked.

    warning

    Once a refresh token expires, IDaaS requires a new OAuth authorization for the provisioner.

  4. Under User Provisioning, select Enable User Provisioning.

  5. Click Save.

Step 4: Obtain the Salesforce app Client ID, Client Secret, and Entitlement Profile attribute

  1. In Salesforce, go to Platform Tools > Apps > App Manager. The App Manager page appears.
  2. Scroll the list to find the app being used for user provisioning.
  3. Click the menu button for the app and then select View from the drop-down list.
  4. Click Manage Consumer Details. You are prompted to authenticate with a verification code.
  5. Enter the Verification Code and then click Verify. The Consumer Details appear.
  6. Open a text editor and copy and paste into a text editor the Consumer Key and the Consumer Secret. Leave the text file open.
  7. Click Cancel to exit Consumer Details page.
  8. In Salesforce, go to Administration > Users > App Profiles. The Profiles page appears.
  9. Click your Profile. In the Web browser a numeric value appears at the end of your Salesforce domain.

    Example: <mytenantID>.mydomain.com/ABC123D45678f9GH

  10. Copy the alphanumeric value to your text file. This is your Entitlement Profile. You need this attribute value in Step 5: Add the provisioner to IDaaS.

Step 5: Add the provisioner to IDaaS

  1. Enter a Name for the provisioner.

  2. Select Enable to automatically enable the provisioner when it is created. By default, this setting is deselected.

    note

    Entrust recommends leaving this setting disabled until full set up, including OAuth authorization is complete

  3. Select the Groups to provision all users from the selected groups. You can select more than one group.

  4. Enter the SCIM Server Endpoints.

    Example:
    https://<salesforce_tenant_hostname>/services/scim/v2/

    where <salesforce_tenant_hostname> is your Salesforce domain.

    warning

    SCIM Server Endpoints cannot be edited after the provisioner has been added to IDaaS.

  5. Under User Attribute Mapping, do the following:

    1. Click next to [entitlement.profile]. The SCIM Attribute dialog box appears.
    2. In the User attribute to map to field, paste the Entitlement Profile value you copied in Step 4: Copy the Salesforce app Consumer ID, Consumer Secret, and Entitlement Profile.

  6. The template maps the user attributes, but if required, add the custom user attributes, as follows:

    1. Under User Attribute Mapping, click . The SCIM Attribute dialog box appears.
    2. Select the Schema Name from the drop-down list or enter a custom name required by your service provider.
    3. From the Data Type drop-down list, select the conversion for the attribute mapping. The options include:
      • string
      • boolean
      • number
    4. From the SCIM Attribute Name drop-down list, select the SCIM attribute to map to IDaaS.
    5. From the IDaaS Attribute to map to field, do the following as required to map the SCIM attribute to IDaaS:
      1. Enter an attribute name.
      2. Select an attribute from the drop-down list.
      3. Combine multiple IDaaS attributes for mapping.
    6. Example: If you combine <First Name>_<Last Name>, IDaaS replaces <First Name> and <Last Name> with their corresponding values and keeps the underscore (_) separator between the attributes. If IDaaS does not find the attribute, it leaves the attribute unchanged. For example, if <First Name> is defined as Jane and <Last Name> is not defined, the attribute result is Jane.
    7. Click Add.
    8. Repeat these steps to map the following additional custom user attributes.

  7. Click Save. The provisioner appears on the Provisioner List page with an authorize () icon.

Step 6: Authorize and enable the provisioner

  1. Click next to the Provisioner. The General Settings page appears.

  2. In the Client ID field, enter the Consumer ID that you copied in Step 4: Copy the Salesforce app Consumer ID, Consumer Secret, and Entitlement Profile.

  3. In the Client Secret field, enter the Consumer ID that you copied in Step 4: Copy the Salesforce app Consumer ID, Consumer Secret, and Entitlement Profile.

  4. Click Authorize to acquire OAuth access and refresh tokens.

  5. Follow the prompts that appear from Salesforce to allow access. An Authorized message appears on the General Settings page to confirm authorization.

  6. Click Send Test SCIM to do a SCIM call to Salesforce. A message appears to confirm a successful SCIM call to Salesforce.

  7. Click Save. To return to the Provisioners List page.

    info

    If the Save fails, you may need to reauthorize and send a test SCIM again to save new refresh and access tokens.

  8. On the Provisioners List page, enable the provisioner as follows:

    1. Under Actions for the new provisioner, click . The Enable Provisioner prompt appears.
    2. Click Enable.

Step 7: Synchronize your users

  1. In IDaaS, click > Resources > Provisioners. The Provisioners List page appears.

  2. Click next to the provisioner and then select . The Synchronize Provisioner dialog box appears.

  3. Click Synchronize.

    info

    Check the Audit Logs for errors after synchronizing your users for provisioning.

    warning

    Once a refresh token expires, you must re-authorize and repeat this step.

Step 8: Edit a provisioner

  1. In IDaaS, click > Resources > Provisioners. The Provisioners List page appears.
  2. Click the name of the provisioner. The Edit Provisioner page appears.
  3. Make your required changes and then click Save.
warning

Attention: If you need to make edits to the provisioner, changing a group or attribute mapping triggers many SCIM calls. Entrust recommends disabling the provisioner until you have completed all the required changes. When disabled, the only SCIM calls made are to are delete users or provisioners, as applicable. In addition, you may need to reauthorize the provisioner if an authentication configuration has changed.