Consider Other Features
- Explain ways in which the Identity Connect login page can be branded.
- Describe best practices for synchronization.
- List the Identity Connect reports that you can generate.
- Describe best practice for disabling Salesforce passwords.
- Describe when to implement IWA.
Brand the Login Page
Out of the box, users log in to Identity Connect from a login page that displays the Salesforce logo.
Do you prefer to have your users see your Jedeye Technologies logo instead? It’s a simple change when you take advantage of Identity Connect’s branding features.
From Settings at the top-right of the Identity Connect console, select Customize Theme. The branding page lets you change:
- Your logo
- The background and button colors on the login page
Live Versus Scheduled Updates
You determine when Identity Connect syncs data between AD and Salesforce from this Data Synchronization page.
Should you choose Schedule Updates or Live Updates? Turns out it’s kind of a trick question. The answer is both. Use Live Updates to catch changes as they occur. Use Schedule Updates to make sure that nothing is missed.
Live Updates Identity Connect monitors AD and updates Salesforce as changes occur. It’s not a full comparison of everything in both systems, though. So if either the Identity Connect or the primary AD server goes offline, it’s possible to miss AD changes that occurred during that time. Some changes might not propagate to Salesforce when the system comes back on line. That's where Scheduled Updates comes in. Schedule Updates Identity Connect makes a full comparison between AD and Salesforce. It collects all user and group information from AD and Salesforce and compares all the data. If any differences exist, Identity Connect updates Salesforce with the data from AD.
Salesforce recommends using Schedule Updates at most once per day. Most customers run Schedule Updates every night or every weekend. Even though the mechanism ensures that the data is in sync, Scheduled Updates consume more resources—including API calls. Live Updates has less impact on API limits because Identity Connect connects to Salesforce only when it detects changes to user settings in AD.
For user provisioning, Identity Connect connects with Salesforce over REST APIs to validate and update user settings.
These read and write operations count against the org’s API limits. Schedule Updates consumes more API requests than Live Updates because each schedule sync validates the settings for each user. Live Updates doesn’t consume as many API calls because Identity Connect connects to Salesforce only when it detects changes to user settings in AD.
API usage hasn’t been a problem for most customers. But if you’re close to reaching your API limits, keep this in mind when you implement Identity Connect.
Identity Connect in a Production Org
If you’re configuring Identity Connect in an existing Salesforce org, make sure that you don’t unintentionally change user profile and permission sets.
Be sure to test thoroughly before syncing all users in your production org. Not to scare anyone, but we’ve seen cases where a Salesforce admin scheduled a sync before completing the Identity Connect setup, and changed the profile for every user in their Salesforce org.
Best practice: Start out small. Before you sync everyone, sync a specific user, such as a member of your team. Check that the permissions were mapped correctly. Then sync your Salesforce org.
From the Identity Connect console, you can generate different types of reports for different stages.
Run a reconciliation report before syncing. It reports how many users in Salesforce don’t map to AD.
After a sync, run a synchronization report to troubleshoot failed sync operations. It lists all the synchronization operations that occurred, along with the date, number of records synced, and number of records that failed to sync.
Run a User Activity report to see which users succeeded and which users failed to log in to Identity Connect.
Use My Domain to Redirect Users to Identity Connect
You’ve created a My Domain for your org, now make it work for you. You can redirect users to Identity Connect directly from your My Domain configuration page.
- From Setup, enter My Domain and select My Domain.
- In Authentication Configuration, click Edit.
- For Authentication Service, select Identity Connect.
- Save your changes.
Disable Salesforce Passwords
Disable Salesforce passwords to ensure that your users log in to Salesforce with their AD credentials. Without a Salesforce password, users can never bypass Identity Connect when logging in.
Why do you want to prevent users from bypassing Identity Connect? It’s advantageous to both admins and users. Help Desk has fewer passwords to reset. Users have fewer passwords to remember—and once less click to make.
Disabling Salesforce passwords is also a big win for reducing compliance overhead. Set your password strength requirements in AD and force all users to use that password. Then you can simply test AD password strength to demonstrate compliance.
To disable passwords, Salesforce Support must enable Delegated Authentication. Then you can set Is Single Sign-On Enabled on the profile of users who won’t have a Salesforce password.
Password Sync Plug-In
Password Sync is an optional plug-in that clones your AD password into Salesforce. With it, users can log in to login.salesforce.com (or https://myDomainName.my.salesforce.com ) using their Salesforce username and AD password.
The password sync plug-in is an advanced feature that isn’t implemented often but is an SSO alternative that’s useful under certain circumstances. Use the password sync plug-in to avoid exposing your Identity Connect login page outside your corporate network.
You can also use it if your company doesn’t support mobile VPN, but you want users to be able to log in to Salesforce with their AD password.
Password sync works by installing an agent on an Active Directory server instance (domain controller). The agent captures a password every time it changes and sends it to Salesforce through Identity Connect.
Implementing password sync requires experience in installing the AD agent and managing certificates. It also requires programming experience because you must provide custom Apex code for Salesforce to handle the password change.
Integration Windows Authentication (IWA)
Integrated Windows Authentication (IWA) offers another way to provide SSO. It’s based on Kerberos authentication.
Most companies use the SSO feature that comes with Identity Connect if they don’t already have another solution. For larger installations, consider integrating to Identity Connect with IWA.
Having Identity Connect integrated with IWA saves users an extra log in. Once users log in to their computers with their AD username and password, Identity Connect recognizes the user and doesn’t prompt them to log in to Salesforce. If your company has experience with IWA or an Identity partner with IWA experience, consider this feature.
Other than collecting your Identity Connect badge, what do you do now?
We’ve shown you:
- Why Identity Connect is a good idea
- What sort of information you can get automatically from AD
- How you can set up access control once and let Identity Connect take over
- How Identity Connect can fit into your network infrastructure
- Some Identity Connect features to consider
- Some gotchas to be aware of
Now that you’re armed with this knowledge, you can work with your stakeholders to decide whether Identity Connect is right for your company.