Get to Know Identity Connect
- Describe the Identity Connect benefits for user provisioning and SSO.
- List ways in which Salesforce admins benefit from Identity Connect.
- Explain the advantage of Identity Connect licensing.
- Describe the general process for installing Identity Connect.
As a Salesforce admin for Jedeye Tech, you’re intrigued by the prospect of leveraging IT’s user management efforts when managing Salesforce users. Imagine having the ability to automatically create your Salesforce users when they’re added to AD. And what if you didn’t have to worry about assigning profiles and perm sets? Or Salesforce usernames and passwords? What if you can automatically deny access to Salesforce as soon as a user is terminated? How much time can you save? Instead of wondering, deploy Salesforce Identity Connect.
Identity Connect is a Salesforce Identity product that helps Salesforce admins apply all the data collected in AD to automate Salesforce user management. It syncs changes in AD within seconds.
Your IT colleague Ruth Cloudwater manages AD users. She works full-time maintaining all the company's users—from their first day to their last. She makes sure that users have appropriate access to apps and data to get their job done. She also makes sure that employees leaving the company don't leave with any company assets. When people rise up the ranks, she makes sure that their group access keeps up. If you can piggyback off Ruth's efforts, life will be good.
If Identity Connect can take away some of the burden of managing Salesforce users, the Jedeye Tech CIO, Oliver Owens, will be all for it. But before you pitch Identity Connect to Oliver, let’s learn about the product. Lucky for you, that’s what this Trailhead module is for.
You can get the most out of this module if you're familiar with managing Salesforce users and permissions. Being familiar with integrating data, JSON, and deploying software on your network is a plus.
If you don’t use Active Directory to manage your users company-wide, this module probably isn’t for you...unless you’re determined to get this awesome badge.
When Identity Connect detects differences between AD and Salesforce, it updates Salesforce with the information in AD. Data transfer is in one direction and AD is the source of truth. Identity Connect never changes information that's stored in AD.
If you change the user in Salesforce, the Salesforce changes go away with the next sync. Nothing to worry about, though. You can tell Identity Connect not to update certain fields if you want to manage them in Salesforce.
Provisioning users manually is error-prone and time-consuming. By using Identity Connect to automatically onboard (and offboard) users, you streamline the process of creating users and managing their access to apps and data. Instead of duplicating the effort to create users and set up permissions, use the information that's already stored in AD.
When users are added to AD, they can access Salesforce with the same username and password they use for AD.
Users don't need to remember an extra username and password. You don't have to manage separate user credentials in Salesforce. Jedeye's Help Desk doesn't need to field more forgotten password calls.
What if Jedeye Tech already has an SSO solution? No worries. You can keep your SSO solution and use Identity Connect just for user provisioning.
Here’s Jen’s experience when she joined a company that has Identity Connect.
Jen recalls her first day with the company. By 10 AM, she’s up and running. She has her laptop. She logs in with her corporate credentials, and she logs in to Salesforce with the same password. Her Salesforce user is already created with all the correct information, including her manager’s name, and she has access to the apps and data she needs.
Jen starts working her contacts immediately. With immediate access to Salesforce on her mobile device, Jen can stay connected when she’s on the road. Such a difference from her previous position, where it took over 2 weeks for IT to create her in Salesforce. After a few years, things change as they always do. When Jen gets married and changes her name, Salesforce is immediately updated with AD. When Jen is promoted to sales manager, her access is updated too.
Having Identity Connect prevents problems like Jedeye Tech had when Garth Moll quit Jedeye and took a job at competitor Inky Verge Systems. IT disabled Garth’s AD user account right away but forgot about disabling his Salesforce access. Garth’s Salesforce session was still running on his mobile device, and he managed to slip away with a year’s worth of competitive data.
If you had Identity Connect, Garth would have been immediately booted off Salesforce when his AD user was deactivated. No company secrets would now be in competitors’ hands.
Identity Connect only needs read-only access to the users and groups in AD that you want to sync with Salesforce.
For more information on Identity Connect licenses, contact your account team.
Identity Connect comes with everything you require to try out basic user provisioning and authentication: the application, web services, and an OrientDB database (for storing Identity Connect settings and logs). If you prefer a different database, you can replace OrientDB when you deploy Identity Connect.
- Identity Connect requires My Domain. If you’re not familiar with this Identity product, you can check out the User Authentication module to learn more.
- Decide how Identity Connect fits in with your network infrastructure.
- Install Identity Connect on one or more computers.
- Configure the connection between AD and Identity Connect.
- In Salesforce, create a connected app to connect Identity Connect to Salesforce.
- Determine the best way to map your data between AD and Salesforce.
- Configure a synchronization schedule.
- Run pre-sync reconciliation report. Analyze, link, and clean up user data.
- Run sync then post-sync reports.
- Configure SSO (optional).
Unfortunately, we can’t provide you with a hands-on challenge for this module because Identity Connect requires Active Directory.
Here’s what Winston Chir, VP of IT at Salesforce, says about Identity Connect.
With tens of thousands of employees and partners, we’ve become experts at managing Salesforce users. But that wasn’t always the case. At first, IT used a bunch of homegrown scripts to manage users. It was a time-consuming process to get it right for our own environment, and we saw customers struggling with these same problems. So Salesforce released Identity Connect.
All the work that went into Identity Connect paid for itself ten-fold when something huge happened: the ExactTarget merger. ExactTarget had its own AD environment with thousands of users who needed access to the orgs we use to run our business.
Identity Connect simplified an otherwise overwhelming effort. When we deployed it, all ExactTarget users were able to access Salesforce, with the appropriate levels of access, using their current usernames and passwords. Instead of taking months without Identity Connect, the process took no time at all. ExactTarget users joined our Ohana with little disruption of business and the Salesforce Marketing Cloud was born.
According to Winston, Salesforce IT uses Identity Connect to manage multiple AD infrastructures into a Salesforce instance. Identity Connect allows users to have a single identity across hundreds of Salesforce instances, thousands of apps developed in Heroku and AWS, and hundreds of third-party web apps. Users have one identity across all IT services.