Identity Connect integrates Microsoft Active Directory (AD) with Salesforce. User information entered in AD is shared with Salesforce seamlessly and instantaneously. Companies that use AD for user management can use Identity Connect to manage Salesforce accounts.
Identity Connect enables you to upload user data from your enterprise data store (Active Directory) to one or more Salesforce organizations, and automatically to synchronize this data when user entries are added, changed, or removed. In addition, Identity Connect enables single sign-on (SSO) to Salesforce, using the Security Assertion Markup Language (SAML).
Changes in AD are reflected in Salesforce in near real time. For example, when a user is created in AD, the Salesforce user account is created as part of the provisioning process. When de-provisioned, the user’s Salesforce session is revoked immediately.
Identity Connect runs as a service on either Windows or Linux platforms.
It is required to have at least one Identity Connect license to install Identity Connect (install version specific to the underlying OS) on a server by your IT department.
Identity Connect includes a browser-based user interface, and is installed “on premises”, inside your Network. A customizable UI wizard enables you to configure data synchronization from your Active Directory server to your Salesforce organization.
A single Active Directory server can be connected to multiple Identity Connect instances, each targeting a separate Salesforce organization
When Identity Connect has been installed and configured, any access to the subdomain of your organization on Salesforce (such as example.salesforce.com) can be configured to go through Identity Connect. Attempts to access example. salesforce.com directly are rerouted to Identity Connect, which manages access.
Users and passwords are generally not stored in Identity Connect.
Administrative access to Identity Connect relies on the credentials of administration users in Active Directory.
When an administrative user logs into Identity Connect, he is able to configure, manage and monitor data synchronization between Active Directory and Salesforce.
If single sign-on has been configured, and the AD user has been linked to his Salesforce account, a regular user can log into Identity Connect (with the URL https://hostname. domain:8443/connect/), and is routed directly to his Salesforce dashboard, via SAML.
By default, access to Identity Connect is controlled with forms-based authentication. Users of Identity Connect provide the login credentials of their Active Directory account when they log in. We can configure Identity Connect for Integrated Windows Authentication (IWA) and single sign-on (SSO) to Salesforce using the Security Assertion Markup Language (SAML).
Download Identity Connect from the URL provided to you by your Salesforce, then install Identity Connect, depending on your operating system. Identity Connect can be installed to run as a Windows service, so that the server starts and stops automatically when Windows starts and stops. Identity Connect provides an RC script that generates an initialization script to run Identity Connect as a service on UNIX-like systems.
Changes required at Salesforce End
Identity Connect requires a Connected App to connect to salesforce.com using the OAuth 2.0 protocol
Enter Connected App Name, API Name, contact Email.
Enable OAuth Settings
Callback URL. Enter the Identity Connect URL, to which the requested token will be sent. The default callback URL is, https://hostname. domain:8443/admin/index.html#salesforceCallback.
OAuth Scopes: Access and manage your data, Access your basic information, Perform requests on your behalf at any time
In order to configure single sign-on with Identity Connect, we must have a domain registered in Salesforce.
From Identity Connect version 1.0.3 onwards, any permission sets that are not included in the permission set to Active Directory Group mapping page are excluded from the scope of what is managed by Identity Connect. These permission set assignments are therefore not added, or removed by Identity Connect. Note that if a permission set is included on the permission set to Active Directory Group mapping page, but is mapped to None, Identity Connect will effectively overwrite any explicit assignments from within the Salesforce organization for that permission set.
Use of Identity connect with Salesforce1 mobile app requires
Deploy an SSL certificate on your Identity Connect host that is trusted by the mobile devices of users. Mobile applications will not work with the default self-signed certificate that is provided with Identity Connect
Salesforce1 Mobile App users must specify the correct domain for Identity Connect within their App.
If you have configured IWA, but a user’s mobile device does not support Kerberos, the Identity Connect login page on the Salesforce1 App will fall back to their form-based Active Directory login.
Configure connection between Identity Connect and AD
The first step in setting up Identity Connect is configuring the data source, or Active Directory connector. Identity Connect supports connections to a full Active Directory server, and to an ADLDS (Active Directory Lightweight Directory Services) instance.
If your directory service has only one domain controller, or if all your Salesforce users are in the same domain, Identity Connect can connect to a single domain controller. If your directory service spans multiple domains, Identity Connect must connect to the Global Catalog (GC) to have a comprehensive view of all the domains. Multiple connections to multiple Domain Controllers from a single Identity Connect instance are not supported. Using a GC as the authoritative data source has the following limitations:
Only a subset of attributes is replicated from other domains to the GC.
Delete operations are not detected immediately.
Not all group types are supported.
Configure connection between Identity Connect and Salesforce
Identity Connect supports the configuration of multiple Salesforce organizations for a single Active Directory server. This enables you to synchronize two separate Salesforce organizations with the same Active Directory user data
Mapping Data between AD and Salesforce
Identity Connect enables you to specify how attributes and other data are mapped from the Active Directory data source to the Salesforce data store. After you have configured the Salesforce connector, click Salesforce Org and then select Mapping on the page for that organization.
The Mapping page covers two main aspects of the mapping of data between Active Directory and Salesforce.
Attribute Mapping maps all the attributes of a user entry to a comparable attribute in Salesforce.
Group Mapping maps Active Directory groups to one or more of the grouping mechanisms within Salesforce (Profiles, User Roles, Permission Sets and Salesforce Groups).
Data Synchronization and User Association Management
The main purpose of Identity Connect is to maintain data consistency between your Active Directory and your Salesforce data store. This consistency is achieved by a process called synchronization, which modifies user da
Before synchronization can occur, a reconciliation report is run. Reconciliation is the process by which two data sources are assessed and the consistency of the data across the two systems is analyzed.
Data synchronization enables you to specify when and how often Active Directory data changes are pushed to the Salesforce data store. Data can be synchronized according to a defined schedule, or automatically, as soon as changes are made in Active Directory.
Configuring Single Sign On
Identity Connect enables you to set up single sign-on (SSO) using the Security Assertion Markup Language (SAML). With SSO configured, when a user accesses his Salesforce organization URL, he is redirected to the Identity Connect user interface (at https://hostname.domain.com:8443/connect/). Logging in to this interface routes the user directly to his Salesforce dashboard.
You can configure Identity Connect so that clients use Integrated Windows Authentication (IWA), rather than authenticating by providing a username and password.