📢 Attention Salesforce Certified Trailblazers! Maintain your credentials and link your Trailhead and Webassessor accounts by April 19th. Learn more.
close

Consider Other Features

Learning Objectives

After completing this module, you’ll be able to:
  • Explain ways in which the Identity Connect login page can be branded.
  • Describe best practices for synchronization.

  • List the Identity Connect reports that you can generate.
  • Describe best practice for disabling Salesforce passwords.

  • Describe when to implement IWA.


Brand the Login Page

Out of the box, users log in to Identity Connect from a login page that displays the Salesforce logo.

Do you prefer to have your users see your Jedeye Technologies logo instead? It’s a simple change when you take advantage of Identity Connect’s branding features.

Login page with Salesforce logo that can be replaced

From Settings at the top-right of the Identity Connect console, select Customize Theme. The branding page lets you change:

  • Your logo
  • The background and button colors on the login page

Live Versus Scheduled Updates

You determine when Identity Connect syncs data between AD and Salesforce from this Data Synchronization page.

Schedule sync page

Should you choose Schedule Updates or Live Updates? Turns out it’s kind of a trick question. The answer is both. Use Live Updates to catch changes as they occur. Use Schedule Updates to make sure that nothing is missed.

Live Updates
Identity Connect monitors AD and updates Salesforce as changes occur. It’s not a full comparison of everything in both systems, though. So if either the Identity Connect or the primary AD server goes offline, it’s possible to miss AD changes that occurred during that time. Some changes might not propagate to Salesforce when the system comes back on line. That's where Scheduled Updates comes in.
Schedule Updates
Identity Connect makes a full comparison between AD and Salesforce. It collects all user and group information from AD and Salesforce and compares all the data. If any differences exist, Identity Connect updates Salesforce with the data from AD.

Salesforce recommends using Schedule Updates at most once per day. Most customers run Schedule Updates every night or every weekend. Even though the mechanism ensures that the data is in sync, Scheduled Updates consume more resources—including API calls. Live Updates has less impact on API limits because Identity Connect connects to Salesforce only when it detects changes to user settings in AD.

API Limits

For user provisioning, Identity Connect connects with Salesforce over REST APIs to validate and update user settings.

These read and write operations count against the org’s API limits. Schedule Updates consumes more API requests than Live Updates because each schedule sync validates the settings for each user. Live Updates doesn’t consume as many API calls because Identity Connect connects to Salesforce only when it detects changes to user settings in AD.

API usage hasn’t been a problem for most customers. But if you’re close to reaching your API limits, keep this in mind when you implement Identity Connect.

Identity Connect in a Production Org

If you’re configuring Identity Connect in an existing Salesforce org, make sure that you don’t unintentionally change user profile and permission sets.

Be sure to test thoroughly before syncing all users in your production org. Not to scare anyone, but we’ve seen cases where a Salesforce admin scheduled a sync before completing the Identity Connect setup, and changed the profile for every user in their Salesforce org.

Best practice: Start out small. Before you sync everyone, sync a specific user, such as a member of your team. Check that the permissions were mapped correctly. Then sync your Salesforce org.

Reports

From the Identity Connect console, you can generate different types of reports for different stages.

Run a reconciliation report before syncing. It reports how many users in Salesforce don’t map to AD.

Reconciliation report

After a sync, run a synchronization report to troubleshoot failed sync operations. It lists all the synchronization operations that occurred, along with the date, number of records synced, and number of records that failed to sync.

Synchronization report

Run a User Activity report to see which users succeeded and which users failed to log in to Identity Connect.

User activity report

Use My Domain to Redirect Users to Identity Connect

You’ve created a My Domain for your org, now make it work for you. You can redirect users to Identity Connect directly from your My Domain configuration page.
  1. From Setup, enter My Domain and select My Domain.
  2. Under Authentication Configuration, select Identity Connect.

My Domain configuration with Identity Connect

Disable Salesforce Passwords

Disable Salesforce passwords to ensure that your users log in to Salesforce with their AD credentials. Without a Salesforce password, users can never bypass Identity Connect when logging in.

Identity Connect login page

Why do you want to prevent users from bypassing Identity Connect? It’s advantageous to both admins and users. Help Desk has fewer passwords to reset. Users have fewer passwords to remember—and once less click to make.

Disabling Salesforce passwords is also a big win for reducing compliance overhead. Set your password strength requirements in AD and force all users to use that password. Then you can simply test AD password strength to demonstrate compliance.

Note

Note

For safety, make sure that a few admins have both an AD and Salesforce username and password. This way, if Identity Connect is down, they can still log in to Salesforce. For the admins who have both AD and Salesforce credentials, set up two-factor authentication for good measure.

To disable passwords, Salesforce Support must enable Delegated Administration. Then you can set Is Single Sign-On Enabled on the profile of users who won’t have a Salesforce password.

Password Sync Plug-In

Password Sync is an optional plug-in that clones your AD password into Salesforce. With it, users can log in to login.salesforce.com (or https://mydomain.my.salesforce.com) using their Salesforce username and AD password.

The password sync plug-in is an advanced feature that isn’t implemented often but is an SSO alternative that’s useful under certain circumstances. Use the password sync plug-in to avoid exposing your Identity Connect login page outside your corporate network.

You can also use it if your company doesn’t support mobile VPN, but you want users to be able to log in to Salesforce with their AD password.

Password sync works by installing an agent on an Active Directory server instance (domain controller). The agent captures a password every time it changes and sends it to Salesforce through Identity Connect.

Implementing password sync requires experience in installing the AD agent and managing certificates. It also requires programming experience because you must provide custom Apex code for Salesforce to handle the password change.

Warning

Warning

Before you implement Password Sync, ask your Security Team to review and approve it. Any features that involve passwords or authentication protocols can conflict with a company’s security policies.

Integration Windows Authentication (IWA)

Integrated Windows Authentication (IWA) offers another way to provide SSO. It’s based on Kerberos authentication.

Most companies use the SSO feature that comes with Identity Connect if they don’t already have another solution. For larger installations, consider integrating to Identity Connect with IWA.

Having Identity Connect integrated with IWA saves users an extra log in. Once users log in to their computers with their AD username and password, Identity Connect recognizes the user and doesn’t prompt them to log in to Salesforce. If your company has experience with IWA or an Identity partner with IWA experience, consider this feature.

What’s Next?

Other than collecting your Identity Connect badge, what do you do now?

We’ve shown you:

  • Why Identity Connect is a good idea
  • What sort of information you can get automatically from AD
  • How you can set up access control once and let Identity Connect take over
  • How Identity Connect can fit into your network infrastructure
  • Some Identity Connect features to consider
  • Some gotchas to be aware of

Now that you’re armed with this knowledge, you can work with your stakeholders to decide whether Identity Connect is right for your company.

retargeting