Salesforce offers a cloud-based customer relationship management (CRM) platform that lets users track sales, service, and marketing. It includes a social networking plug-in and analytical tools including email alerts, Google search functionality, and access to contracts.

To login to the Salesforce application, you must create a trial account. For more information, see Setting a trial account on Salesforce

Salesforce connectors are available for use with One Identity Safeguard for Privileged Passwords.

Supervisor configuration parameters

To configure the connector, following parameters are required:

• Connector Name

• Client ID - Consumer key of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).

• Client Secret - Consumer Secret of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).

• Username

• Password - <Login password><Security token received over email>

• Token URL - Salesforce's token URL (https://<saleforce_instance_url>/services/oauth2/token)

• Grant Type : password

• Instance: This field corresponds with the datacenter the connector should access.

• Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations in Salesforce version 1.0

Users

Table 3: Supported operations for Users

Operation	VERB
Create	POST
Update (id)	PUT
Delete (id)	DELETE
Get (id)	GET
Get	GET
Pagination	GET

Groups

Table 4: Supported operations for Groups

Operation	VERB
Create	POST
Update (id)	PUT
Delete  (id)	DELETE
Get (id)	GET
Get	GET
Pagination	GET

Roles

Table 5: Supported operations for Roles

Operation	VERB
Get All Roles	GET
Get Role (Id)	GET

Profiles

Table 6: Supported operations for Profiles

Operation	VERB
Get All Profiles	GET
Get Profile (Id)	GET

PermissionSets

Table 7: Supported operations for PermissionSets

Operation	VERB
Create PermissionSets	POST
Update PermissionSets	PUT
Delete PermissionSets	DELETE
Add PermissionSet members	POST
Remove PermissionSet members	DELETE
Get All PermissionSets	GET
Get All PermissionSets by Id	GET

Mandatory fields

Users

• Last Name
• Email
• Alias (Auto populated with the combination of First and/or Last name)
• Username (Auto populated from email)
• Nickname (Auto populated from email; takes the name before “@”)
• Email Encoding
• Locale Settings (Time Zone, Locale & Language)

• Entitlements - ProfileId

Groups

• Group Name

Permissions Sets

• Name
• Label

The user and group mapping is listed in the table below.

Table 8: User mapping for Salesforce version 1.0

SCIM parameter	Salesforce parameter
Id	id
UserName	Username
ExternalId	FederationIdentifier
Name.GivenName	FirstName
Name.FamilyName	LastName
Name.Formatted	Name
DisplayName	Name
NickName	CommunityNickname
Emails.Value	Email
Photos.Value	FullPhotoUrl
Addresses.StreetAddress	Street
Addresses.Locality	City
Addresses.Region	State
Addresses.PostalCode	PostalCode
Addresses.Country	Country
PhoneNumbers.Values	Phone
UserType	UserType
Title	Title
PreferredLanguage	LanguageLocaleKey
Locale	LocaleSidKey
Timezone	TimeZoneSidKey
Active	IsActive
password	[* another API Call]
Entitlements[].Value	Profile[].Id
Entitlements[].Display	Profile[].Name
Roles[].Value	UserRole[].Id
Roles[].Display	UserRole[].Name
Extension.PasswordLastSet	LastPasswordChangeDate
Extension.EmailEncoding	EmailEncodingKey
Extension.Organization	CompanyName
Extension.Division	Division
Extension.Department	Department
Extension.Description	AboutMe
Extension.Manager.Value	Manager.Id
Extension.Manager.DisplayName	Manager.Name
Extension.LastLogon	LastLoginDate
Extension.EmployeeNumber	EmployeeNumber
Extension.Alias	Alias
Extension.UserPermissionsMobileUser	UserPermissionsMobileUser
Extension.UserPermissionsSFContentUser	UserPermissionsSFContentUser
Extension.UserPermissionsKnowledgeUser	UserPermissionsKnowledgeUser
Extension.UserPermissionsOfflineUser	UserPermissionsOfflineUser
Extension.UserPermissionsMarketingUser	UserPermissionsMarketingUser
Extension.UserPermissionsCallCenterAutoLogin	UserPermissionsCallCenterAutoLogin
Extension.UserPermissionsInteractionUser	UserPermissionsInteractionUser
Extension.UserPermissionsSupportUser	UserPermissionsSupportUser
Extension.FullPhotoUrl	FullPhotoUrl
Meta.Created	CreatedDate
Meta.LastModified	LastModifiedDate

Table 9: Group mapping for SalesForce version 1.0

SCIM parameter	Salesforce parameter
Id	Id
DisplayName	Name
Members.value	UserOrGroupId
Meta.Created	CreatedDate
Meta.LastModified	LastModifiedDate

 

Table 10: Role mapping for SalesForce version 1.0

SCIM parameter	Salesforce parameter
Id	Id
Name	Name
Members[].value	RoleMembers[].Id
Members[].display	RoleMembers[].Name
Meta.Created	CreatedDate
Meta.LastModified	LastModifiedDate

 

Table 11: Profile mapping for SalesForce version 1.0

SCIM parameter	Salesforce parameter
Id	Id
Name	Name
Members[].value	ProfileMembers[].Id
Members[].display	ProfileMembers[].Name
Meta.Created	CreatedDate
Meta.LastModified	LastModifiedDate

 

Table 12: Permission Sets mapping for Salesforce version 1.0

SCIM parameter	Salesforce parameter
Id	ID
Name	Name
Label	Label
Members[].value	PermissionSetMembers[].Id
Members[].display	PermissionSetMembers[].Name
Meta.Created	CreatedDate
Meta.LastModified	LastModifiedDate
PermissionSetGroupId	PermissionSetGroupId
PermissionSetType	Type

Connector limitations

• Even if the Count value is less than 2000, the resources are returned as 2000.

  NOTE: Salesforce connector currently supports Salesforce api version 53.0.

• Salesforce does not display an error when you create Duplicate Groups. It returns the existing group information. A duplicate group will not be created.

• Connector updates the count value of pagination property to 500 when it is more than 500. This is done to solve common validation error.

• Due to target API behaviour, only membership management is supported in Permission set groups in the connector.

• If you disable a parent attribute in the target system, for example manager, but do not disable it in the Starling Connect UI under EnterpriseUser; instead you disable only the child attribute manager.value in the Starling Connect UI, then the connector cannot determine whether the other child attributes manager.displayName and manager.$ref under the parent attribute manager are enabled or not in the target system. Hence, in this case, the request query will contain the other the child attributes manager.displayName and manager.$ref but not the manager.value. The solution is to disable the entire parent attribute manager in the Starling Connect UI.
• You cannot update the password of an inactive user due to target system limitations. When you try to create an inactive user, the error message Password cannot be updated of an inactive user is displayed. However, the user is created by the system. This is because the User Create operation for inactive user is internally carried out as Create User and Set Password operations, one after the another.

• The connector supports assignment of roles and profiles to account in accordance with the Salesforce data model.

 

Salesforce connector for Safeguard for Privileged Passwords

• The Instance parameter (which corresponds with the datacenter the connector should access) is required when configuring the supervisor.

• The user account used to register the connecter must have sufficient authorization to change another user's password.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in Salesforce version 2.0

Following are the features that are available exclusively in Salesforce v.2.0:

• The below listed additional attributes are available for the User object:
  • Extension.UserPreferencesContentEmailAsAndWhen
  • Extension.UserPreferencesContentNoEmail
  • Extension.CallCenterId

  NOTE: The above three attributes are available in Salesforce v.2.0 in addition to the attributes that are available in version 1.0.

Mappings for Salesforce version 2.0

Table 13: User mapping for Salesforce version 2.0

SCIM parameter	Salesforce parameter
Extension.UserPreferencesContentEmailAsAndWhen	UserPreferencesContentEmailAsAndWhen
Extension.UserPreferencesContentNoEmail	UserPreferencesContentNoEmail
Extension.CallCenterId	CallCenterId

Features available exclusively in Salesforce v.3.0

Following are the features that are available exclusively in Salesforce v.3.0:

• You can configure custom attributes for the Salesforce v.3.0 SCIM connector in Starling Connect for the User object.

  NOTE:

  • For more information about how to configure custom attributes, see Configuring custom attributes in connectors.
  • As the Salesforce target system does not support the disabling attributes feature, the Salesforce connector is enhanced only to support the configuration of custom attributes in the SCIM connector in version 3.0.

Features available exclusively in Salesforce v.4.0

Following are the features that are available exclusively in Salesforce v.4.0:

You can disable attributes in the Salesforce v.4.0 SCIM connector in Starling Connect for the User object.

NOTE:

• For more information, see Disabling attributes.

• Although the Salesforce target system does not support disabling attributes, the Salesforce connector is enhanced to support the disable attributes feature to remove the attributes for all USER operations in v.4.0.

Support for filter condition

Salesforce connector supports filter condition for User objects. Filters can be applied and the Users filtered absed on the provided condition can be retrieved.

To configure changes to One Identity Manager to support filter conditions

1. Open the Synchronization Editor tool.

2. Select SCIM connector.

3. Select the Target system and navigate to Schema Classes.
4. Add a new schema class for the user.
5. Add the System filter and Select Object condition. Click Commit to Database.
6. In User mappings, edit the Target system schema class with the recently created schema and click Commit to Database.
7. Run the synchronization.

   Filter conditions are created.

IMPORTANT:

• The connector supports filter condition on all versions but only for User objects.

• Supports only AND and OR logical operators.

• Supports only parenthesis () for grouping the condition.

• Filter condition can be applied for any of the User attributes supported by Salesforce workbench.

• Complex attributes are not supported in filter condition. For example, name or email. Only sub-attributes are supported (email.value, name.familyName).

• Filter condition should follow the below syntax

  For example:

  Example 1.<attribute_name><space><operator><space>'<string_value or date_value>' Example 2.<attribute_name><space><operators><space><int_value or bool_value>

• The attribute name should not contain or be preceded with a Schema URN.

• Filter condition values should not have single quotes or percentage with the filter condition value. For example, (userName co 'O'Malley') or (userName co 'O%Malley%').

• Filter condition is not supported by connector for Custom attributes.

• The filter condition related to Id fields attribute VALUES are case sensitive in the target system. For example, manager.value, roles.value.

  • Target system has the Id of Manager as 'aB12eqQ'

    • manager.value ='aB12eqQ' - condition matches and returns the results.

    • manager.value ='ab12eqq' - condition does not match and doesn't return the results.

• Supports the following operators to filter the values with example should apply in OneIM.

  Table 14: Supported operators to filter values

  Operators	OneIM System filters	OneIM Select Objects
  eq → equal to	userType eq 'Standard'	userType = 'Standard'
  ne → not equal to	userType ne 'Standard'	userType <> 'Standard'
  co → contains	userType co 'Standard'	userType like '%Standard%'
  sw → starts with	userType sw 'Standard'	userType like 'Standard%'
  ew → ends with	userType ew 'Standard'	userType like '%Standard'
  gt → greater than	userType gt 100	userType > 100
  lt → less than	userType lt 100	userType < 100
  ge → greater than or equal to	userType ge 500	userType >= 500
  le → less than or equal to	userType le 500	userType <= 500

Examples of filter conditions that must be applied at OneIM:

• userType co 'stand'

• userType eq 'standard'

• emails.value co 'baskar.may' or emails.value co 'test.user'

• userType co 'stand' and (emails.value co 'baskar.may' or emails.value co 'test.user')

Synchronization and integration of PermssionSets object type with One Identity Manager

For more information, see Synchronization and assignment of PermissionSets to Users with One Identity Manager.