• Identity Connect integrates Microsoft Active Directory (AD) with Salesforce. User information entered in AD is shared with Salesforce seamlessly and instantaneously. Companies that use AD for user management can use Identity Connect to manage Salesforce accounts.
  • Identity Connect enables you to upload user data from your enterprise data store (Active Directory) to one or more Salesforce organizations, and automatically to synchronize this data when user entries are added, changed, or removed. In addition, Identity Connect enables single sign-on (SSO) to Salesforce, using the Security Assertion Markup Language (SAML).
  • Changes in AD are reflected in Salesforce in near real time. For example, when a user is created in AD, the Salesforce user account is created as part of the provisioning process. When de-provisioned, the user’s Salesforce session is revoked immediately.
  • Identity Connect runs as a service on either Windows or Linux platforms.
  • It is required to have at least one Identity Connect license to install Identity Connect (install version specific to the underlying OS) on a server by your IT department.
  • Identity Connect includes a browser-based user interface, and is installed “on premises”, inside your Network. A customizable UI wizard enables you to configure data synchronization from your Active Directory server to your Salesforce organization.
  • A single Active Directory server can be connected to multiple Identity Connect instances, each targeting a separate Salesforce organization
  • When Identity Connect has been installed and configured, any access to the subdomain of your organization on Salesforce (such as example.salesforce.com) can be configured to go through Identity Connect. Attempts to access example. salesforce.com directly are rerouted to Identity Connect, which manages access.
  • Users and passwords are generally not stored in Identity Connect.
  • Administrative access to Identity Connect relies on the credentials of administration users in Active Directory.
  • When an administrative user logs into Identity Connect, he is able to configure, manage and monitor data synchronization between Active Directory and Salesforce.
  • If single sign-on has been configured, and the AD user has been linked to his Salesforce account, a regular user can log into Identity Connect (with the URL https://hostname. domain:8443/connect/), and is routed directly to his Salesforce dashboard, via SAML.
  • By default, access to Identity Connect is controlled with forms-based authentication. Users of Identity Connect provide the login credentials of their Active Directory account when they log in. We can configure Identity Connect for Integrated Windows Authentication (IWA) and single sign-on (SSO) to Salesforce using the Security Assertion Markup Language (SAML).
  • Setup Process
  • Download Identity Connect from the URL provided to you by your Salesforce, then install Identity Connect, depending on your operating system. Identity Connect can be installed to run as a Windows service, so that the server starts and stops automatically when Windows starts and stops. Identity Connect provides an RC script that generates an initialization script to run Identity Connect as a service on UNIX-like systems.
  • Changes required at Salesforce End
    • Identity Connect requires a Connected App to connect to salesforce.com using the OAuth 2.0 protocol
      • Enter Connected App Name, API Name, contact Email.
      • Enable OAuth Settings
        • Callback URL. Enter the Identity Connect URL, to which the requested token will be sent. The default callback URL is, https://hostname. domain:8443/admin/index.html#salesforceCallback.
        • OAuth Scopes: Access and manage your data, Access your basic information, Perform requests on your behalf at any time
    • In order to configure single sign-on with Identity Connect, we must have a domain registered in Salesforce.
    • From Identity Connect version 1.0.3 onwards, any permission sets that are not included in the permission set to Active Directory Group mapping page are excluded from the scope of what is managed by Identity Connect. These permission set assignments are therefore not added, or removed by Identity Connect. Note that if a permission set is included on the permission set to Active Directory Group mapping page, but is mapped to None, Identity Connect will effectively overwrite any explicit assignments from within the Salesforce organization for that permission set.
    • Use of Identity connect with Salesforce1 mobile app requires
      • Deploy an SSL certificate on your Identity Connect host that is trusted by the mobile devices of users. Mobile applications will not work with the default self-signed certificate that is provided with Identity Connect
      • Salesforce1 Mobile App users must specify the correct domain for Identity Connect within their App.
      • If you have configured IWA, but a user’s mobile device does not support Kerberos, the Identity Connect login page on the Salesforce1 App will fall back to their form-based Active Directory login.
  • Configure connection between Identity Connect and AD
    • The first step in setting up Identity Connect is configuring the data source, or Active Directory connector. Identity Connect supports connections to a full Active Directory server, and to an ADLDS (Active Directory Lightweight Directory Services) instance.
    • If your directory service has only one domain controller, or if all your Salesforce users are in the same domain, Identity Connect can connect to a single domain controller. If your directory service spans multiple domains, Identity Connect must connect to the Global Catalog (GC) to have a comprehensive view of all the domains. Multiple connections to multiple Domain Controllers from a single Identity Connect instance are not supported. Using a GC as the authoritative data source has the following limitations:
      • Only a subset of attributes is replicated from other domains to the GC.
      • Delete operations are not detected immediately.
      • Not all group types are supported.
  • Configure connection between Identity Connect and Salesforce
    • Identity Connect supports the configuration of multiple Salesforce organizations for a single Active Directory server. This enables you to synchronize two separate Salesforce organizations with the same Active Directory user data
  • Mapping Data between AD and Salesforce
    • Identity Connect enables you to specify how attributes and other data are mapped from the Active Directory data source to the Salesforce data store. After you have configured the Salesforce connector, click Salesforce Org and then select Mapping on the page for that organization.
    • The Mapping page covers two main aspects of the mapping of data between Active Directory and Salesforce.
      • Attribute Mapping maps all the attributes of a user entry to a comparable attribute in Salesforce.
      • Group Mapping maps Active Directory groups to one or more of the grouping mechanisms within Salesforce (Profiles, User Roles, Permission Sets and Salesforce Groups).
  • Data Synchronization and User Association Management
    • The main purpose of Identity Connect is to maintain data consistency between your Active Directory and your Salesforce data store. This consistency is achieved by a process called synchronization, which modifies user da
    • Before synchronization can occur, a reconciliation report is run. Reconciliation is the process by which two data sources are assessed and the consistency of the data across the two systems is analyzed.
    • Data synchronization enables you to specify when and how often Active Directory data changes are pushed to the Salesforce data store. Data can be synchronized according to a defined schedule, or automatically, as soon as changes are made in Active Directory.
  • Configuring Single Sign On
    • Identity Connect enables you to set up single sign-on (SSO) using the Security Assertion Markup Language (SAML). With SSO configured, when a user accesses his Salesforce organization URL, he is redirected to the Identity Connect user interface (at https://hostname.domain.com:8443/connect/). Logging in to this interface routes the user directly to his Salesforce dashboard.
  • Configuring IWA
    • You can configure Identity Connect so that clients use Integrated Windows Authentication (IWA), rather than authenticating by providing a username and password.

Mock Questions

  1. Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an IdP, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?
    1. Identity Connect will not support user provisioning in UC’s current environment.
    2. Identity Connect will only support IdP-initiated SAML flows in UC’s current environment.
    3. Identity Connect will only support SP-initiated SAML flows in UC’s current environment.
    4. Identity connect is not compatible with UC’s current identity environment.
  2. Which two statements are capable of Identity Connect? Choose 2 answers
    1. Synchronization of Salesforce Permission Set License Assignments.
    2. Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO.
    3. Support multiple orgs connecting to multiple Active Directory servers.
    4. Automated user synchronization and de-activation.
  3. Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The IT team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers
    1. Use the salesforce REST API to sync users from active directory to salesforce
    2. Use an app exchange product to sync users from Active Directory to salesforce.
    3. Use Active Directory Federation Services to sync users from active directory to salesforce.
    4. Use Identity connect to sync users from Active Directory to salesforce
  4. Universal containers (UC) has decided to use identity connect as it’s identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers
    1. Public Group Assignment
    2. Granting report folder access
    3. Role Assignment
    4. Custom permission assignment
    5. Permission sets assignment
  5. Universal Containers (UC) has Active Directory (AD) as their enterprise identity store and would like to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and Assign the appropriate Profile and Permission Sets based on AD group membership. What would be the optimal way to implement SSO?
    1. Use Active Directory with Reverse Proxy as the Identity Provider.
    2. Use Microsoft Access control Service as the Authentication provider.
    3. Use Active Directory Federation Service (ADFS) as the Identity Provider.
    4. Use Salesforce Identity Connect as the Identity Provider.

References

Leave a Reply

Your email address will not be published. Required fields are marked *