About the Salesforce SCIM Connector
EmpowerID Salesforce connector is a bi-directional connector that communicates with the Salesforce SCIM microservice for inventory and write-back functionality of users, groups, group membership, and user licenses between EmpowerID and Salesforce via REST API calls to Salesforce. The Salesforce SCIM microservice is an EmpowerID microservice that you deploy to an Azure app service. The app service uses a system-assigned managed identity linked to an application you create in Azure AD for EmpowerID. The managed identity allows the microservice to access Azure AD-protected services without needing to supply credentials for authentication. The entire process uses secure client certificate authentication. The connector authenticates to the microservice using Azure Authentication. The request and response of the microservice are SCIM compliant.
Inventory Objects and their corresponding components in EmpowerID
The Salesforce connector supports both full and incremental inventory. The connector uses Salesforce Object Query Language (SOQL) to retrieve data from Salesforce. When inventory is first enabled, the connector performs a full inventory to sync all the accounts, groups, group membership and user licenses. On subsequent runs, the inventory job looks for modified objects only.
| Object in Salesforce | Component in EmpowerID |
|---|---|
| User | Account |
| Profile | Group (Group Type ID = 15) |
| User Role | Group (Group Type ID = 16) |
| Permission Set | Group (Group Type ID = 25) |
| Public Groups | Group (Group Type ID = 9) |
| Permission Set License | Group (Group Type ID = 41) |
| User License | Group License |
| Permission Set Assignment | Group Account |
Users in Salesforce are inventoried as accounts in EmpowerID and added as records to the Account table of the EmpowerID Identity and Resource Warehouse. The connector supports both full and incremental inventory for accounts. Each time full inventory runs, the connector syncs all the accounts from the external system to EmpowerID. Full Inventory uses a query to get all the accounts from Salesforce. The query contains a comma separated list of user attributes to be inventoried and is configurable by editing the UserQueryMessage parameter on the Salesforce SCIM resource system. The below code depicts what the default query looks like.
Select ID,LastModifiedDate,Username,LastName,FirstName,Name,CompanyName,Department,Title,Street,City,State,PostalCode,Country,
Address,Email,Phone,Alias,CommunityNickname,IsActive,TimeZoneSidKey,LocaleSidKey,EmailEncodingKey,ProfileId,UserRoleId,LanguageLocaleKey,
ManagerId,LastLoginDate,LastPasswordChangeDate,CreatedDate,UserPermissionsMarketingUser,UserPermissionsOfflineUser,UserPermissionsCallCenterAutoLogin,
DefaultGroupNotificationFrequency,UserPermissionsKnowledgeUser,UserPermissionsLiveAgentUser,UserPermissionsSupportUser from User
Incremental inventory uses the LastModifiedDate attribute to bring only the accounts modified after the last inventory run. Any updates made to the user on the external system will be synced to EmpowerID account.
The id attribute of the external system is used as the primary key and is synced to the systemIdentifier column in the Account table.
Inventoried Account Attributes
The below table contains a list of account attributes inventoried by the out-of-the-box connector.
| Attributes in Salesforce | SCIM Attributes | Attributes in EmpowerID |
|---|---|---|
| Country | country | Country |
| PostalCode | addresses[?(@.type=='work')].postalCode | ZipCode |
| Street | addresses[?(@.type=='work')].streetAddress | StreetAddress |
| emails[?(@.type=='work')].value | ||
| FirstName LastName | displayName | FriendlyName |
| Alias | Alias | Alias |
| City | city | City |
| State | state | State |
| LastName | name.familyName | LastName |
| FirstName | name.givenName | FirstName |
| Phone | phoneNumbers[?(@.type=='Phone')].value | Telephone |
| Department | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department | Department |
| Username | userName | LogonName |
| ManagerId | ['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['manager'].['value'] | ManagerDistinguishedName |
| CompanyName | companyName | Company |
| CommunityNickname | CommunityNickname | DisplayNamePrintable |
| LanguageLocaleKey | LanguageLocaleKey | PreferredLanguage |
| LocaleSidKey | LocaleSidKey | Location |
| ProfileId | ProfileId | ProfilePath |
| EmailEncodingKey | EmailEncodingKey | ExtensionAttribute4 |
| TimeZoneSidKey | TimeZoneSidKey | ExtensionAttribute3 |
| DefaultGroupNotificationFrequency | DefaultGroupNotificationFrequency | ExtensionAttribute5 |
| UserPermissionsCallCenterAutoLogin | UserPermissionsCallCenterAutoLogin | ExtensionAttribute21 |
| UserPermissionsMarketingUser | UserPermissionsMarketingUser | ExtensionAttribute19 |
| UserPermissionsOfflineUser | UserPermissionsOfflineUser | ExtensionAttribute20 |
| UserRoleId | UserRoleId | ExtensionAttribute14 |
| Title | Title | JobTitle |
| AccountId | AccountId | ExtensionAttribute2 |
| UserPermissionsSupportUser | UserPermissionsSupportUser | CustomAttribute17 |
| UserPermissionsLiveAgentUser | UserPermissionsLiveAgentUser | CustomAttribute18 |
| UserPermissionsKnowledgeUser | UserPermissionsKnowledgeUser | CustomAttribute19 |
| IsActive | IsActive | Active |
Groups in Salesforce are inventoried as groups and added as records to the Group table of the EmpowerID Identity and Resource Warehouse. Group members are added as records to the GroupAccount table. The connector supports both full and incremental inventory for groups, whereas inventory for group memberships is always a complete inventory. Each time full inventory runs, the connector syncs all groups and group memberships from the external system to EmpowerID.
Full inventory uses separate queries to retrieve groups and group memberships from Salesforce. Each query contains a comma separated list of attributes to be inventoried that can be customized by editing the associated query parameter on the Salesforce SCIM resource system.
Profile and UserRole assignments are stored as user attributes in Salesforce and as such are inventoried in EmpowerID during user inventory. The assignments are stored in the Group table.
Query parameters include the following:
| Group Type | Query Parameter | Default Query Value |
|---|---|---|
| Profile | ProfileQueryMessage | Select ID, UserLicenseId, Name from Profile |
| UserRole | UserRoleQueryMessage | Select ID,LastModifiedDate,Name from UserRole |
| PermissionSet | PermissionSetQueryMessage | Select ID,Name from PermissionSet |
| PublicGroup | PublicGroupQueryMessage | Select ID,Name from Group where type = 'regular' |
Incremental inventory uses the LastModifiedDate attribute to bring only the groups modified after the last inventory run. Any updates made on the external system will be synced to EmpowerID Group. If a group is disabled on the external system and the CheckForDeletedObjectsEnabled setting for the Salesforce SCIM account store is turned on, EmpowerID marks the group as deleted and sets the deleted date on the group.
The id attribute of the external system is used as the primary key and is synced to the systemIdentifier column in the Group table.
Inventoried Group Attributes
The below table contains a list of group attributes inventoried by the out-of-the-box connector.
| Attributes in Salesforce | SCIM Attributes | Attributes in EmpowerID |
|---|---|---|
| id | id | SystemIdentifier |
| Name | Name | Name |
| Name | displayName | FriendlyName |
User licenses in Salesforce are inventoried and added as records to the GroupLicense table of the EmpowerID Identity and Resource Warehouse. The connector supports both full and incremental inventory for user licenses. Each time full inventory runs, the connector syncs all user licenses from the external system to EmpowerID. Full Inventory uses a query to get all the user licenses from Salesforce. The query contains a comma separated list of user license attributes to be inventoried that can be configured by editing the UserLicenseQueryMessage parameter on the Salesforce SCIM resource system. The below code depicts what the default query looks like.
Select ID,LastModifiedDate,Name,TotalLicenses,UsedLicenses from UserLicense
Incremental inventory uses the LastModifiedDate attribute to bring only the user licenses modified after the last inventory run. Any updates made to the user on the external system will be synced to the EmpowerID Group License.