EmpowerID includes a Salesforce connector that allows organizations to bring the user data (user accounts, profiles and roles) in their Salesforce domain to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories Salesforce, it creates an account in the EmpowerID Identity Warehouse for each Salesforce user, a group for each Salesforce profile, and a group for each Salesforce role. EmpowerID distinguishes these groups from one another by group type. Groups created for Salesforce profiles have a group type of
ProfileGroup (GroupTypeID of 15), while groups created for roles have a group type of
PrimaryRoleGroup (GroupTypeID of 16). This information becomes important if you use EmpowerID to create users in Salesforce as each Salesforce user must have a profile.
Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Salesforce accounts for any person within your organization based on their role. For example, if your organization has a sales department, each time a new hire occurs within that department, EmpowerID can provision a Salesforce account for that individual with the profile specified in the Provisioning policy. For more information on Resource Entitlements and Salesforce, see
Creating Provisioning Policies for Salesforce.
Prerequisites: In order to connect EmpowerID to Salesforce, you must have a Salesforce domain with an account that EmpowerID can use to connect to Salesforce. At a minimum, this account must have a profile with permission to read the user data in Salesforce. If you plan to use EmpowerID to provision, deprovision and modify the user data in Salesforce, the profile needs to have create, update and delete permissions as well. Additionally, you must provide EmpowerID with the token generated by Salesforce for the account.
This topic demonstrates how to connect EmpowerID to Salesforce.
To connect EmpowerID to Salesforce
Log in to the EmpowerID Management Console as an administrator.
From the EmpowerID Management Console, click the EmpowerID icon and select Configuration Manager from the menu.
In Configuration Manager, expand the User Directories node and then click Account Stores.
Click the Add New button located above the Account Stores grid.
In the Add New Security Boundary window that opens, select the Salesforce.com Security Boundary type from the drop-down list and then click OK.
In the Add Salesforce Connection window that appears, do the following:
In the Username field, type the username of the Salesforce account you created in Salesforce for EmpowerID.
Type the password for the account in the Password and Confirm Password fields.
In the Service Account Token field, type the value of the token generated by Salesforce for the selected user account.
In the Certificate Thumbprint field, type the thumbprint of the certificate that EmpowerID is to use to encrypt the Salesforce connection data. It is recommended that the certificate be the same as that which you are using in your EmpowerID deployment.
If the values entered in the Add Salesforce Connection window are incorrect, EmpowerID will not be able to authenticate to Salesforce and the connection will fail.
Click OK to close the Add Salesforce Connection window.
If the connection is successful, EmpowerID creates the Salesforce connection and opens the Account Store Details screen for the Salesforce account store. This screen contains settings for configuring how EmpowerID manages the Salesforce account store.
Before configuring EmpowerID to manage the account store, you should determine whether or not you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, then you should be able to answer the following questions before turning on inventory.
When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
How many user accounts can one Person have in the account store?
If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
From the General pane of the Salesforce Account Store Details screen, enable each desired feature by toggling the icon to the right of each feature from a red sphere to a green check box. For example, if you wish to allow password synchronization to occur between EmpowerID and Salesforce, toggle the red sphere to the right of
Allow Password Sync to a green check box.
In the Inventory pane of the Account Store Details screen for the Salesforce account store, toggle the icon to the right of the
Allow Automatic Person Provision On Inventory setting from a red sphere to a green check box. This instructs EmpowerID to create a linked EmpowerID Person object for each new, unique Salesforce user account discovered during the inventory process.
In the Inventory pane of the Account Store Details screen for the Salesforce account store, click the Edit button to the right of Business Role for New Inventory Provision and select an appropriate Business Role for each new Person provisioned during the inventory of your Salesforce.
Click OK to close the Business Role Selector.
Back in the Inventory pane of the Account Store Details screen for the Salesforce account store, click the Edit button to the right of Location For New Inventory Provision and select an appropriate Location for each Person EmpowerID provisions during the inventory of your Salesforce from the Location Selector.
Click OK to close the Location Selector.
Navigate to the main screen of Configuration Manager and click the Attribute Flow Rules node underneath User Directories.
Select the Salesforce domain from the Account Stores drop-down located above the Attribute Flow Rules editor. You should see all Attribute Flow Rules set to allow no attribute flow. (Indicated by the red sphere.)
From the Attribute Flow Rules editor, toggle each Attribute Flow Rule to achieve the desired rules. When selecting the rules you have the following options for each attribute:
No Sync - When this option is selected, no information flows between EmpowerID and Salesforce.
Bidirectional Flow - When this option is selected, changes made within EmpowerID update Salesforce and vice-versa.
Account Store Changes Only - When this option is selected, changes can only be made to the selected attribute(s) in Salesforce and passed to EmpowerID.
EmpowerID Changes Only - When this option is selected, changes can only be made to the selected attribute(s) in EmpowerID and are then passed to Salesforce.
In our example, we have set the Attribute Flow Rules to EmpowerID Changes Only for all attributes except the Manager attribute, which is set to No Sync. In this way, all attributes except for the Salesforce ManagerId can only be changed in EmpowerID.
Return to the Account Store Details screen for the Salesforce domain.
From the Inventory pane of the Account Store Details screen for the Salesforce account store, click the red sphere to the left of Enable Inventory so that the red sphere becomes a green check box. This allows EmpowerID to inventory your Salesforce domain and create the appropriate user accounts and Person objects in EmpowerID.
After several minutes, refresh the Account Store data by pressing the Refresh Data button located a the top of the Account Store Details screen. You should see that EmpowerID has inventoried the accounts ) in your Salesforce domain and provisioned the requisite number of EmpowerID Persons for those accounts.
Once you have connected EmpowerID to Salesforce, you can view and manage the users and groups associated with it from the
Salesforce Manager page in EmpowerID, located at "https://<YourEmpowerIDServer>/empowerid/#Common/Find/SalesforceManager".