Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
The Elements of User Authentication
Passwords
Cookies
Single Sign-On
My Domain
Two-Factor Authentication
Network-Based Security
CAPTCHA Security for Data Exports
Session Security
Custom Login Flows
Single Sign-On
Connected Apps
User Provisioning for Connected Apps
Desktop Client Access
Configure User Authentication
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

User Provisioning for Connected Apps

Use the User Provisioning Wizard for connected apps to create, update, and delete user accounts in third-party apps based on users in Salesforce. For your Salesforce users, you can set up automatic account creation, updates, and deactivation for services such as G Suite and Box. You can also discover whether existing user accounts in the third-party system are already linked to a Salesforce user account.
Available in: both Salesforce Classic and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

Connected apps link your users with third-party services and apps. User provisioning for connected apps lets you create, update, and manage user accounts for those services and apps automatically. This feature simplifies account creation and links your Salesforce users’ accounts to their third-party accounts. After these accounts are linked, you can configure the App Launcher to display the connected app as a tile. With a single click, users get instant access to the third-party service.

Here’s a user provisioning scenario. You configure user provisioning for a G Suite connected app in your org. Then you assign the Employees profile to that connected app. When you create a user in your org and assign the user to the Employees profile, the user is provisioned in G Suite. When the user is deactivated, or the profile assignment changes, the user is deprovisioned from G Suite.

User provisioning applies only to users with a profile or permission set that grants them access to the connected app.

Salesforce provides a wizard to guide you through the user provisioning settings for each connected app. You can also run reports to see who has access to specific third-party apps. These reports give you a centralized view of all user accounts across all connected apps.

User Provisioning Requests

After you configure user provisioning, Salesforce manages requests for updates on the third-party system. Salesforce sends user provisioning requests to the third-party system based on specific events in your org, either through the UI or API calls. The following table shows the events that trigger provisioning requests and their associated operations.

Event Operation Object
Create user Create User
Update user (for selected attributes) Update User
Disable user Deactivate User
Enable user Activate User
Freeze user Freeze UserLogin
Unfreeze user Unfreeze UserLogin
Reactivate user Reactivate User
Change user profile Create or Deactivate User
Assign or unassign a permission set to a user Create or Deactivate PermissionSetAssignment
Assign or unassign a profile to the connected app Create or Deactivate SetupEntityAccess
Assign or unassign a permission set to the connected app Create or Deactivate SetupEntityAccess

The operation value is stored in the UserProvisioningRequest object. Salesforce can either process the request immediately, or wait until an approval process completes (if you requested approvals when running the wizard). To process the request, Salesforce uses a flow of the type User Provisioning, which includes a reference to the Apex UserProvisioningPlugin class. The flow calls the third-party service’s API to manage user account provisioning on that system.

To send user provisioning requests based on events in Active Directory (AD), use Salesforce Identity Connect to capture those events and synchronize them into Salesforce. Then, Salesforce sends the user provisioning requests to the third-party system to provision or deprovision users.

Considerations

Entitlements
The roles and permissions for the service provider can’t be managed or stored in the Salesforce org. So specific entitlements to resources at the service provider aren’t included when a user requests access to a third-party app that has user provisioning enabled. With user provisioning, you can create a user account for a service provider. However, the service provider must manage any additional roles or permissions for the user.
Scheduled account reconciliation
Run the User Provisioning Wizard each time you want to collect and analyze users in the third-party system. You can’t configure an interval for an automatic collection and analysis.
Access recertification
After an account is created for the user, validation of the user’s access to resources at the service provider must be performed at the service provider.