Security Implementation Guide

Salesforce Security Implementation Guide
Security Overview
User Authentication
Passwords
Single Sign-on Overview
My Domain
Identity Providers
Network-Based Security
Session Security
Custom Login Flows
Configure User Authentication
Setting Login Restrictions
Set Password Policies
Expire Passwords for Your Users
Set Trusted IP Ranges for Your Organization
Modify Session Security Settings
Create a Login Flow
Connect a Login Flow to a Profile
Salesforce Two-Factor Authentication
Enabling Single Sign-On
Connected Apps
User Provisioning for Connected Apps
Desktop Client Access
User Authorization
Data Sharing Tools
Monitoring Your Organization's Security
Platform Encryption
Security Tips for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

User Provisioning for Connected Apps

As an administrator, use connected apps with user provisioning to create, update, and delete user accounts in third-party applications based on users in your Salesforce organization. For your Salesforce users, you can set up automatic account creation, updates, and deactivation for services such as Google Apps and Box. You can also discover existing user accounts in the third-party system and whether they are already linked to a Salesforce user account.
Available in: both Salesforce Classic and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

User Permissions Needed
To read: “Customize Application”
To create, update, or delete: “Customize Application” AND either

“Modify All Data” OR “Manage Connected Apps
To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: “Customize Application”
To update Profiles, Permission Sets, and Service Provider SAML Attributes: “Customize Application” AND “Modify All Data”
To uninstall: “Download AppExchange Packages”

Connected apps link your users with third-party services and applications. User provisioning for connected apps lets you create, update, and manage user accounts for those services and applications. This feature simplifies account creation for services such as Google Apps, and links your Salesforce users’ accounts to their third-party accounts. After these accounts are linked, you can configure the App Launcher, so your users click the connected app icon in the App Launcher and get instant access to the target service.

User provisioning applies only to users assigned to a profile or permission set granting them access to the configured connected app. For example, you can configure user provisioning for a Google Apps connected app in your organization. Then assign the profile “Employees” to that connected app. When a new user is created in your organization and assigned the “Employees” profile, the user is automatically provisioned in Google Apps. Also, when the user is deactivated, or the profile assignment changes, the user is automatically de-provisioned from Google Apps.

Salesforce provides a wizard to guide you through the user provisioning settings for each connected app.

And, you can run reports to see who has access to specific third-party applications with a centralized view of all user accounts across all connected apps.

User Provisioning Requests

After you configure user provisioning, Salesforce manages requests for updates on the third-party system. Salesforce sends user provisioning requests to the third-party system based on specific events in your organization, either through the UI or through API calls. The following table shows the events that trigger user provisioning requests.

Event Operation Object
Create user Create User
Update user (for selected attributes) Update User
Disable user Deactivate User
Enable user Activate User
Freeze user Freeze UserLogin
Unfreeze user Unfreeze UserLogin
Reactivate user Reactivate User
Change user profile Create/Deactivate User
Assign/Unassign a permission set to a user Create/Deactivate PermissionSetAssignment
Assign/Unassign a profile to the connected app Create/Deactivate SetupEntityAccess
Assign/Unassign a permission set to the connected app Create/Deactivate SetupEntityAccess

The operation value is stored in the UserProvisioningRequest object. Salesforce can either process the request, immediately, or wait for a complete approval process (if you add an approval process during the User Provisioning Wizard steps). To process the request, Salesforce uses a flow of the type User Provisioning, which includes a reference to the Apex UserProvisioningPlugin class. The flow calls the third-party service’s API to manage user account provisioning on that system.

If you want to send user provisioning requests based on events in Active Directory, use Salesforce Identity Connect to capture those events and synchronize them into your Salesforce organization. Then, Salesforce sends the user provisioning requests to the third-party system to provision or de-provision users.

Limitations

Entitlements
The roles and permissions for the service provider can’t be managed or stored in the Salesforce organization. So, specific entitlements to resources at the service provider are not included when a user requests access to a third-party app that has user provisioning enabled. While a user account can be created for a service provider, any additional roles or permissions for that user account should be managed via the service provider.
Scheduled account reconciliation
Run the User Provisioning Wizard each time you want to collect and analyze users in the third-party system. You can’t configure an interval for an automatic collection and analysis.
Access re-certification
After an account is created for the user, validation of the user’s access to resources at the service provider must be performed at the service provider.