Versions Compared

Old Version 2

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 3

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Insert excerpt
IL:External Directory Prerequisites V21
IL:External Directory Prerequisites V21
nopaneltrue

Prerequisites

In order to connect EmpowerID to Salesforce :

You

you must have a Salesforce

domain

tenant with an account that EmpowerID can use to connect to Salesforce

.

  • At a minimum, this account must have a profile with permission to read the user data in Salesforce.

    • If you plan to use EmpowerID to provision, deprovision and modify the user data in Salesforce, the profile needs to have create, update and delete permissions as well

    and do the following in the tenant:

    • Register a connected app for EmpowerID with a certificate in Salesforce using the OAuth 2.0 JWT bearer authorization flow. Give the app the following OAuth Scopes:

      • Access and manage your data (api)

      • Perform requests on your behalf at any time (refresh_token, offline_access)

      • Provide access to your data via the Web (web)

    • Upload the private key for the certificate to the EmpowerID certificate store.

    Info

    For directions on setting up a connected up in Salesforce, please see the Salesforce documentation on the subject at https://help.salesforce.com/articleView?id=sf.connected_app_overview.htm&type=5.

    Step 1 – Create a Salesforce account store in EmpowerID

    1. On the navbar, expand Admin > Applications and Directories and then select Account Stores and Systems.

    2. On the Account Stores page, select the Actions tab and then click Create Account Store.

    3. Under System Types, search for Salesforce.

    4. Click the Salesforce.com record to select the type and then click Submit.

    5. On the Salesforce settings page that appears, enter the following information:

      • Name – Enter a name for the account store

      • Service URL – Enter the URL for your Salesforce tenant

      • API Endpoint – Enter /services/data/v36.0/

      • Certificate Thumbprint – Enter the thumbprint of the certificate you uploaded to Azure for the service principal application created earlier.

      • User Name – Enter the username of the Salesforce service account you created in Salesforce for EmpowerID.

      • Client Secret – Enter the value of the token generated by Salesforce for the selected user account.

      • Service Account Token – Enter the value of the token generated by Salesforce for the selected user account.

      • SCIM URL – Enter the URL for the Salesforce SCIM app service created earlier.

    6. When you have added your settings, click Submit to create the account store.

    EmpowerID creates the account store and the associated resource system. The next step is to configure attribute flow between the account store and EmpowerID.

    Step 2 – Configure Attribute flow

    Insert excerpt
    IL:Configure Attribute Flow Rules-V21
    IL:Configure Attribute Flow Rules-V21
    nopaneltrue

    Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

    Step 3 – Configure account store settings

    1. On the Account Store and Resource System page for Salesforce, click the Account Store tab and then click the pencil icon to put the account store in edit mode.


      This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your Salesforce account as well as how you want EmpowerID to handle the user information it discovers in UltiPro during inventory. Settings that can be edited are described in the table below the image.

      Insert excerpt
      IL:Account Store Settings (Non-AD) V21
      IL:Account Store Settings (Non-AD) V21
      nopaneltrue

    2. Edit the account store as needed and then click Save to save your changes.

    Step 4 – Verify Salesforce resource system parameters

    1. On the Account Store Details page for the Salesforce account store, select the Resource System tab and then expand the Configuration Parameters accordion at the bottom of the page.

    2. You should a number of parameters for the resource system. The values for these are generated based on the information you provide when creating the account store. If any of the values are incorrect, please update them to ensure successful inventory of your Salesforce tenant. The following parameters are of particular importance:

      • ApiEndPoint – Value should be /services/data/v36.0/

      • certificateThumbPrint – Value should be the thumbprint of the certificate you uploaded to Salesforce for the connected application you created in Salesforce for EmpowerID.

      • ClientSecret – Value should be the secret generated by Salesforce for the connected application you created in Salesforce for EmpowerID.

      • LoginUrl – Value should be the login URL for Salesforce.

      • ServiceUrl – Value should be your Salesforce domain.

      • Username – Value should be the username of the Salesforce service account used by EmpowerID.

    Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in Box to EmpowerID Persons as demonstrated below.

    Tip

    EmpowerID recommends using the Account Inbox for provisioning and joining.

    Step 4 – Enable the Account Inbox Permanent Workflow

    Insert excerpt
    IL:Enable Account Inbox PW - V21
    IL:Enable Account Inbox PW - V21
    nopaneltrue

    Step 5 – Monitor Inventory

    Insert excerpt
    IL:Monitor Inventory - V21
    IL:Monitor Inventory - V21
    nopaneltrue
    Insert excerpt
    IL:External Stylesheet - v1
    IL:External Stylesheet - v1
    nopaneltrue

    See Also

    Salesforce Connector

    Provisioning Policy for Salesforce Accounts

    Div
    stylefloat: left; position: fixed;

    IN THIS ARTICLE

    Table of Contents
    maxLevel4
    minLevel2
    stylenone