Salesforce Identity Connect

Quick Summary of Salesforce Identity Connect Capabilities

Below are important summary about Identity Connect

  • It comes as add on feature with Salesforce with additional cost
  • Only works with Active Directory
  • Its only one way Sync, from Active Directory to Salesforce
  • We can assign profile, role and permission set to user using Identity Connect
  • Any changes made manually for mapped field on user record would be overwritten with next sync.
  • Sync from Active directory to Salesforce can be realtime or scheduled
  • If the user is deactivated in Active Directory then user record also gets deactivated. Identity Connect internally uses API to deactivate user. Unlike for some other SSO solutions, if user is deactivated in Active directory then they cannot login to Salesforce. However, if they already logged into mobile phone or connected app then they can still access Salesforce. This problem is resolved in Identity Connect.
  • Identity connect is installed on client network behind the firewall. Identity connect pushes the changes to Salesforce from client’s network.
  • If we want to use Identity Connect as a SSO and user wants to use Salesforce from outside company network or on mobile phone, then its login page must be accessible on internet. This can be done by installing Identity Connect on De-militarized Zone (DMZ).
  • Identity connect is used for User provisioning but not for Just in Time (JIT) provisioning.
  • We can use Identity connect as a SSO. If customer already has SSO implemented then Identity connect can only be used for user provisioning.
  • One Identity Connect can be used for multiple Salesforce instances however all production or all sandboxes. If you want to use Identity connect for production and Sandbox at same time, then we would need two Identity Connect, one for Sandbox and other for Production.
  • Identity Connect will work with only one Active Directory but it can have multiple domains in same AD.
  • Integrated Windows Authentication (IWA) is supported by Identity Connect using Kerberos authentication protocol. Means, if user is already logged into company provided windows system, then login screen would be bypassed and Salesforce login experience would be seem less.
  •  Scheduled sync uses more API’s then realtime schedule. Because, Schedule sync checks for changes in all Salesforce users vs all AD users.





Related Posts


3 responses to “Quick Summary of Salesforce Identity Connect Capabilities”

  1. Abhiram Avatar

    Thanks Jitendra. The post was very helpful. Would like to know if it’s possible to map AD user object attributes to SF profiles and permission sets. I believe OOB feature in Identity connect allows only ‘Active Directory (AD)Groups’ to be mapped to SF Profiles and permission sets. This means that there will be a need to create several AD groups that could become cumbersome eventually.
    Thanks in advance for your response.

  2. Prabhakar Mohan Avatar
    Prabhakar Mohan

    I am facing issue with identity connect when I try to sync the data. The permission sets are getting unassigned for many users. Using identity connect 3.0 package in SF.

    Permission set Lightning Report Builder: unassigned from user
    Any insight?

  3. Brayan Avatar


    Can identity connect be used for Community user provisioning please? The community user is linked to person accounts.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Jitendra Zaa

Subscribe now to keep reading and get access to the full archive.

Continue Reading