Consider Other Features
- Explain ways in which the Identity Connect login page can be branded.
- Describe best practices for synchronization.
- List the Identity Connect reports that you can generate.
- Describe best practice for disabling Salesforce passwords.
- Describe when to implement IWA.
Do you prefer to have your users see your Jedeye Technologies logo instead? It’s a simple change when you take advantage of Identity Connect’s branding features.
From Settings at the top-right of the Identity Connect console, select Customize Theme. The branding page lets you change:
- Your logo
- The background and button colors on the login page
Should you choose Schedule Updates or Live Updates? Turns out it’s kind of a trick question. The answer is both. Use Live Updates to catch changes as they occur. Use Schedule Updates to make sure that nothing is missed.
- Live Updates
- Identity Connect monitors AD and updates Salesforce as changes occur. It’s not a full comparison of everything in both systems, though. So if either the Identity Connect or the primary AD server goes offline, it’s possible to miss AD changes that occurred during that time. Some changes might not propagate to Salesforce when the system comes back on line. That's where Scheduled Updates comes in.
- Schedule Updates
- Identity Connect makes a full comparison between AD and Salesforce. It collects all user and group information from AD and Salesforce and compares all the data. If any differences exist, Identity Connect updates Salesforce with the data from AD.
Salesforce recommends using Schedule Updates at most once per day. Most customers run Schedule Updates every night or every weekend. Even though the mechanism ensures that the data is in sync, Scheduled Updates consume more resources—including API calls. Live Updates has less impact on API limits because Identity Connect connects to Salesforce only when it detects changes to user settings in AD.
These read and write operations count against the org’s API limits. Schedule Updates consumes more API requests than Live Updates because each schedule sync validates the settings for each user. Live Updates doesn’t consume as many API calls because Identity Connect connects to Salesforce only when it detects changes to user settings in AD.
API usage hasn’t been a problem for most customers. But if you’re close to reaching your API limits, keep this in mind when you implement Identity Connect.
Be sure to test thoroughly before syncing all users in your production org. Not to scare anyone, but we’ve seen cases where a Salesforce admin scheduled a sync before completing the Identity Connect setup, and changed the profile for every user in their Salesforce org.
Best practice: Start out small. Before you sync everyone, sync a specific user, such as a member of your team. Check that the permissions were mapped correctly. Then sync your Salesforce org.
Run a reconciliation report before syncing. It reports how many users in Salesforce don’t map to AD.
After a sync, run a synchronization report to troubleshoot failed sync operations. It lists all the synchronization operations that occurred, along with the date, number of records synced, and number of records that failed to sync.
Run a User Activity report to see which users succeeded and which users failed to log in to Identity Connect.
- From Setup, enter My Domain and select My Domain.
- Under Authentication Configuration, select Identity Connect.
Why do you want to prevent users from bypassing Identity Connect? It’s advantageous to both admins and users. Help Desk has fewer passwords to reset. Users have fewer passwords to remember—and once less click to make.
Disabling Salesforce passwords is also a big win for reducing compliance overhead. Set your password strength requirements in AD and force all users to use that password. Then you can simply test AD password strength to demonstrate compliance.
To disable passwords, Salesforce Support must enable Delegated Administration. Then you can set Is Single Sign-On Enabled on the profile of users who won’t have a Salesforce password.
The password sync plug-in is an advanced feature that isn’t implemented often but is an SSO alternative that’s useful under certain circumstances. Use the password sync plug-in to avoid exposing your Identity Connect login page outside your corporate network.
You can also use it if your company doesn’t support mobile VPN, but you want users to be able to log in to Salesforce with their AD password.
Password sync works by installing an agent on an Active Directory server instance (domain controller). The agent captures a password every time it changes and sends it to Salesforce through Identity Connect.
Implementing password sync requires experience in installing the AD agent and managing certificates. It also requires programming experience because you must provide custom Apex code for Salesforce to handle the password change.
Most companies use the SSO feature that comes with Identity Connect if they don’t already have another solution. For larger installations, consider integrating to Identity Connect with IWA.
Having Identity Connect integrated with IWA saves users an extra log in. Once users log in to their computers with their AD username and password, Identity Connect recognizes the user and doesn’t prompt them to log in to Salesforce. If your company has experience with IWA or an Identity partner with IWA experience, consider this feature.
We’ve shown you:
- Why Identity Connect is a good idea
- What sort of information you can get automatically from AD
- How you can set up access control once and let Identity Connect take over
- How Identity Connect can fit into your network infrastructure
- Some Identity Connect features to consider
- Some gotchas to be aware of
Now that you’re armed with this knowledge, you can work with your stakeholders to decide whether Identity Connect is right for your company.