You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Salesforce SCIM Connector
EmpowerID Salesforce connector is a bi-directional connector that communicates with the Salesforce SCIM microservice for inventory and write-back functionality of users, groups, group membership, and user licenses between EmpowerID and Salesforce via REST API calls to Salesforce. The Salesforce SCIM microservice is an EmpowerID microservice that you deploy to an Azure app service. The app service uses a system-assigned managed identity linked to an application you create in Azure AD for EmpowerID. The managed identity allows the microservice to access Azure AD-protected services without needing to supply credentials for authentication. The entire process uses secure client certificate authentication. The connector authenticates to the microservice using Azure Authentication. The request and response of the microservice are SCIM compliant.
Inventory Objects and their corresponding components in EmpowerID
The Salesforce connector supports both full and incremental inventory. The connector uses Salesforce Object Query Language (SOQL) to retrieve data from Salesforce. When inventory is first enabled, the connector performs a full inventory to sync all the accounts, groups, group membership and user licenses. On subsequent runs, the inventory job looks for modified objects only.
Object in Salesforce | Component in EmpowerID |
|---|---|
User | Account |
Profile | Group (Group Type ID = 15) |
User Role | Group (Group Type ID = 16) |
Permission Set | Group (Group Type ID = 25) |
Public Groups | Group (Group Type ID = 9) |
Permission Set License | Group (Group Type ID = 41) |
User License | Group License |
Permission Set Assignment | Group Account |
Users in Salesforce are inventoried as accounts in EmpowerID and added as records to the Account table of the EmpowerID Identity and Resource Warehouse. The connector supports both full and incremental inventory for accounts. Each time full inventory runs, the connector syncs all the accounts from the external system to EmpowerID. Full Inventory uses a query to get all the accounts from Salesforce. The query contains a comma separated list of user attributes to be inventoried and is configurable by editing the UserQueryMessage parameter on the Salesforce SCIM resource system. The below code depicts what the default query looks like.
Select ID,LastModifiedDate,Username,LastName,FirstName,Name,CompanyName,Department,Title,Street,City,State,PostalCode,Country,
Address,Email,Phone,Alias,CommunityNickname,IsActive,TimeZoneSidKey,LocaleSidKey,EmailEncodingKey,ProfileId,UserRoleId,LanguageLocaleKey,
ManagerId,LastLoginDate,LastPasswordChangeDate,CreatedDate,UserPermissionsMarketingUser,UserPermissionsOfflineUser,UserPermissionsCallCenterAutoLogin,
DefaultGroupNotificationFrequency,UserPermissionsKnowledgeUser,UserPermissionsLiveAgentUser,UserPermissionsSupportUser from UserIncremental inventory uses the LastModifiedDate attribute to bring only the accounts modified after the last inventory run. Any updates made to the user on the external system will be synced to EmpowerID account.
The id attribute of the external system is used as the primary key and is synced to the systemIdentifier column in the Account table.
Inventoried Account Attributes
The below table contains a list of account attributes inventoried by the out-of-the-box connector.
Attributes in Salesforce | SCIM Attributes | Attributes in EmpowerID |
|---|---|---|
Country | country | Country |
PostalCode | addresses[?(@.type=='work')].postalCode | ZipCode |
Street | addresses[?(@.type=='work')].streetAddress | StreetAddress |
emails[?(@.type=='work')].value | ||
FirstName LastName | displayName | FriendlyName |
Alias | Alias | Alias |
City | city | City |
State | state | State |
LastName | name.familyName | LastName |
FirstName | name.givenName | FirstName |
Phone | phoneNumbers[?(@.type=='Phone')].value | Telephone |
Department | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department | Department |
Username | userName | LogonName |
ManagerId | ['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['manager'].['value'] | ManagerDistinguishedName |
CompanyName | companyName | Company |
CommunityNickname | CommunityNickname | DisplayNamePrintable |
LanguageLocaleKey | LanguageLocaleKey | PreferredLanguage |
LocaleSidKey | LocaleSidKey | Location |
ProfileId | ProfileId | ProfilePath |
EmailEncodingKey | EmailEncodingKey | ExtensionAttribute4 |
TimeZoneSidKey | TimeZoneSidKey | ExtensionAttribute3 |
DefaultGroupNotificationFrequency | DefaultGroupNotificationFrequency | ExtensionAttribute5 |
UserPermissionsCallCenterAutoLogin | UserPermissionsCallCenterAutoLogin | ExtensionAttribute21 |
UserPermissionsMarketingUser | UserPermissionsMarketingUser | ExtensionAttribute19 |
UserPermissionsOfflineUser | UserPermissionsOfflineUser | ExtensionAttribute20 |
UserRoleId | UserRoleId | ExtensionAttribute14 |
Title | Title | JobTitle |
AccountId | AccountId | ExtensionAttribute2 |
UserPermissionsSupportUser | UserPermissionsSupportUser | CustomAttribute17 |
UserPermissionsLiveAgentUser | UserPermissionsLiveAgentUser | CustomAttribute18 |
UserPermissionsKnowledgeUser | UserPermissionsKnowledgeUser | CustomAttribute19 |
IsActive | IsActive | Active |