Functionalities

Identity Integration

Provisioning Integration

Prerequisites

Ensure that these prerequisites are satisfied:

• Salesforce access is available.
• A developer account that can be used to establish a connection and has authority to manage objects in the Salesforce.
• A Connected Application is created in Salesforce by following the steps below.

Create X.509 certificate:

Execute the following commands using OpenSSL:

openssl genrsa -des3 -passout pass:password -out server.pass.key 2048

openssl rsa -passin pass:password -in server.pass.key -out server.key

openssl req -new -key server.key -out server.csr

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

Create Service Account Private Key:

1. The private key and password are required to create the Salesforce REST connected system in Identity. Salesforce REST Connector expects the private key in the PFX format. So, create the private key in PFX format from the certificate created above using OpenSSL:

openssl pkcs12 -export -name signedcert -in server.crt -inkey server.key -out keystore.p12 -passout pass:notasecret

2. Use this key and password as the Service Account Private Key and Private Key Password in the Connected System details page. 

Create Salesforce Connected Application:

1. Login using the developer account to Salesforce at https://login.salesforce.com/ and then navigate to "Setup”.
2. In the navigation bar on the left-hand side, under PLATFORM TOOLS -> Apps -> App Manager, select App Manager and use New Connected App button.

3. Fill in the basic information.

4. Under API (Enable OAuth Settings) section, check the Enable OAuth Settings and Use digital signatures checkboxes.

5. Upload the certificate (server.crt) from previous step.

6. Configure the Callback URL.

7. Configure OAuth scopes based on the connector requirements. ‘Perform requests on your behalf at any time’ is required.

8. Click Save.

9. Once saved, the Consumer Key will be displayed on the details page. This is required while creating the connected system.

Grant Access to Connected Application:

1. In the navigation bar on the left-hand side, under PLATFORM TOOLS -> Apps -> Connected Apps -> Manage Connected Apps.

2. Click Edit against the newly created App.

3. Choose ‘Admin approved users are pre-authorized’ for ‘Permitted Users’.

4. Save.

5. Save will return to the Manage Connected Apps page.

6. Click on the label link for the new App.

7. Go to Profiles section, click Manage Profiles button and assign the required profile.

8. In the navigation bar on the left-hand side, go to ADMINISTRATION > Users > Profiles.

9. Use Edit button for the Profile associated to the App.

10. Go to Connected App Access section.

11. Check the check box corresponding to the new App.

12. Save.

Create the Salesforce REST connected system in the Admin UI 

1. Log in to Identity Administration and click the Systems tab.
2. On the Connected System View page, click the Add button and select Salesforce REST from the Type drop-down list. The Connected System Details page displays the default values:

Only configurations which are specific to Salesforce REST is documented below. For an overview of the configuration which are common to all connectors, please refer to our link to “connected systems guide”.  

3. Enter the desired information and click Add.

Creating the Salesforce REST connected system in Studio 

1. Log in to the Workflow and Connectivity Studio and click Connectivity -> Add Systems on the menu bar. The Add Connected Systems window displays. 
2. Select Salesforce REST from the Type drop-down list. The default values display. 
   
   
   
   

3. Enter the required information. Only configurations which are specific to Salesforce REST will be documented below. For an overview of the configuration which are common to all connectors, please refer to our link to “connected systems guide”.
   
   

   Connection Information
   Salesforce Service URL	The URL of the custom domain. Eg. https://fi-connector-test.my.salesforce.com
   Authorization Server URL	The URL that is used to make authorization requests to Salesforce. The default value is https://login.salesforce.com
   Account Email	The email of the developer account.
   Consumer key	Enter the consumer key obtained from Salesforce.
   Service Account Private Key	Select the Service Account Private key created.
   Private Key Password	Enter the password of Service Account Private key.
   Connection Timeout	Number of seconds to wait for completion of an API call to Salesforce REST before timing out.

   
   

4. Click Apply to add the system.

Using the Connected System for Identity 

Perform these procedures to configure the connector: 

• Connector Details for Identity 
• Identity Password Management 

Connector Details for Identity 

This table lists values to enter when associating the Identity user with an existing user in the Salesforce REST connected system: 

Identity Password Management

See User Management for details on password management.

Using the Connected System for Provisioning 

Perform these procedures to configure the connector: 

• Configuring for Export 
• Configuring for Import 
• Connector Details for Provisioning 

Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode. 

Configuring for Export 

Perform these procedures to configure the connector for data export: 

• Configuring the Export Connector 
• Configuring the Export Link 

From the Workflow and Connectivity Studio, select the Salesforce REST UserExport workflow listed under the projects folder. If a workflow does not already exist, create an export workflow. See Workflow and Connectivity Studio for details on creating export workflows. 

Configure the Export Connector 

1. In the Design pane, double-click the export object (the first object after the Start object). The Configure Data Source window displays: 

2. From the Configure Plug-In tab, set the properties as required: 
   
   

   Associated Connected System	Select the connected System from the list. The export will be done from this connected system
   Data Formats	Select the type of data format to use: User (Default), Contact, ExternalUser, Profile or UserRole
   ContactById	Option to fetch a contact by providing Id. This property is available only for Contact data format.
   DeltaExportMode	Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected):  OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run.   ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not.   AllAttributes - Performs a full export of all attributes that contain a value.
   DynamicConnectedSystem	Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.
   DynamicConnectedSystemOption	Select how to control Dynamic System Support (DSS):   None - There will not be any Dynamic System Support.  Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.  GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
   ExecuteGIGAssociatedTaskAsynchronously	If this property is True, GIG associated tasks will execute asynchronously.
   ExportMode	Select the type of data to export:  FullExport - Exports all attributes  DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting.
   Filter	Specify search criteria to determine the objects to be exported from the Salesforce REST Connected System. Use the Set Filter button that becomes active to create a filter. See the Set Filter section for additional information.
   MaxResults	Select the maximum number of results to be returned.
   ProfileById	Option to fetch a profile by providing Id. This property is available only for Profile data format.
   ResultsPerPage	Number of entries fetched in a single call. Valid range is 500 to 2000. Default is 2000.
   UserById	Option to fetch a user by providing Id. This property is available only for User data format.
   UserRoleById	Option to fetch a UserRole by providing Id. This property is available only for UserRole data format.

   Set Filter
   
   
   

   Setting the filter is a means to narrow the search scope and return specific results:

   Element	Description
   Attribute	Select the attribute of the filter. This represents the attribute name for searching the Salesforce REST system.
   Comparison	Select the operator value for this filter. Some attributes do not support certain operator values.
   AND Condition List	Creates an AND statement comparing selected conditions. If there is more than one condition in this list box, all conditions must be true.
   Filter Syntax	Displays the filter syntax used to retrieve entries from the Salesforce REST and to build the export list.

   1. Using logical AND, generate the complex filter to narrow the search result.
   2. Click OK when complete to return to the Configure Data Source window.
      
      
3. (Optional) Select the Attributes Only the standard attributes display: 
   
   

   Modify schema attributes using these buttons: 

   Add	Add additional attributes to the list. The Add New attribute dialog displays.   Note: Only attributes that are present in the business Object schema can be added. If they are not in the business Object schema they will be disregarded.
   Export	Export the schema list to an XML file.
   Import	Imports the schema list from an XML file.
   Reset Schema	Resets the schema definition to the default schema prepackaged with the IDM Suite.

4. (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane. 

5. Click OK and save any changes and return to the Workflow and Connectivity Studio window.

Configure the Export Link 

1. In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays. 
   
   

   Source Attributes	Select the attribute to export
   Selected Attributes	Displays default attributes and those attributes that have been selected from the Source Attributes.   Note: The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not. Usually, the attributes that are selected as mandatory attributes help in identifying or verifying an entry when completing mapping functions.
   Advanced Settings	Displays the Configure Attributes window for configuring advanced settings for attributes. Under the Encrypted column, check the box of any attribute that needs to be encrypted.

2. From the Attribute Selection tab, select attributes to export. 
3. Click Ok to save any changes and return to Workflow and Connectivity Studio window.
4. Deploy the workflow by selecting Deploy New Deployment. See the Workflow and Connectivity Studio documentation for details of deployment options. 
5. Manage and run the deployed workflow from the AdminUI Server tab. See the “Identity Suite Administration” documentation for details. 

Configuring for Import 

Perform these procedures to configure the connector for data import: 

• Configure the import Connector 
• Configure the Import Link 

From the Workflow and Connectivity Studio, select the Salesforce REST UserAdd, UserModify, or UserDelete workflow listed under the projects folder. If a workflow does not already exist, create an import workflow. See the “Workflow and Connectivity Studio” documentation for details on creating import workflows. 

Configuring the Import Connector 

1. In the design pane, double-click the import object (the last workflow object). The Configure Data Source window displays: 

2. From the Configure Plug-In tab, set these properties as required: 
   
   

   Associated Connected System	Select the connected system from the list. The import operation will be done to this connected system.
   Data Formats	Select the type of data format to use: User (Default), Contact, ExternalUser, Profile or UserRole
   DynamicConnectedSystem	Select the global variable to use as the dynamic connected system name. This works in conjunction with the DynamicConnectedSystemOption when GlobalVariable is selected.
   DynamicConnectedSystemOption	Select how to control Dynamic System Support (DSS): None - There will not be any Dynamic System Support. Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail. GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
   Id	Specify the attribute that contains the value used to uniquely identity the user account ID on the connected system. (ACCOUNT_ID column of the FISC_USER_ACCOUNT table). Salesforce REST supports Id as account Id.   Note: This option is only available for the User data format.
   loginId	Enter the attribute that contains the value used to uniquely identity the user account login ID on the connected system. (ACCOUNT_USERNAME column of the FISC_USER_ACCOUNT table). Salesforce REST supports Username as Login Id.  Note: This option is only available for the User data format.

3. (Optional) Select the Attributes tab if attributes schema is to be modified. 
4. (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane. 
5. Click OK to save any changes and return to the Workflow and Connectivity Studio window. 

Configuring the Import Link 

1. In the design pane, double-click the import link between the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays: 

   Source Attributes	Select the attributes to import.
   Check for attribute-level auditing	If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes.
   Select Attributes	Displays default attributes and those attributes that have been selected from the source Attributes.  Note: The default attributes are those that are commonly used to create a new user.
   Advanced Settings	Displays the Configure Attributes window for configuring advanced settings for attributes. Under the Encrypted column, check the box of any attribute that needs to be encrypted.
   Key Attribute	Select the attribute to be used as the key attribute for status processing and audit.

2. From the Attribute Selection tab, select attributes to import.  
3. (Optional) Select the Appearance tab to change how the link displays in the Design pane.
4. Click OK to save any changes and return to the Workflow and Connectivity Studio window.
5. Deploy the workflow by selecting Deploy New Deployment. See the “Workflow and Connectivity Studio” documentation for details of deployment options. 
6. Manage and run the deployed workflow from the Admin UI Server tab. See the “Identity Suite Administration” documentation for details. 

Configuration Details for Provisioning 

 Connector Supported Data Formats 

The items in the Export and Import columns have these meanings:

• Y = Yes (attribute is supported for this operation)
• Y (R) = Attribute is supported and is required to create the object
• N = No (attribute is not supported for this operation)

User and ExternalUser Data Formats

Contact Data Format

Profile Data Format

UserRole Data Format

Lookup Data

To lookup data from Salesforce REST, use the Data Mapper rule Lookup Data.

1. Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays.
2. Select the Lookup Data rule under the Mapping Rule column, and then click the Source Value. The Configure Lookup window displays.
3. Select the Salesforce REST system from the Select System drop-down list:
   
   
   
4. In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.
5. Select the Lookup Type (User (Default), Contact, ExternalUser, Profile or UserRole) from the drop-down list.
6. Select the lookup method By Id or By Filter.
7. Selecting By Filter, the next field will change to Filter. Click the Build button to bring up the filter dialog. The Filter usage was explained earlier in section Set Filter.
8. Selecting By Id changes the next field to Id. Click Pick button along it to select the Id value as attribute/variable/literal.
9. The next Pick button is used to define the attributes to be exported from the lookup. 
10. Select the Exit as Mapper Task Failed on Lookup Failure checkbox to exit the task with failed status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default. 
11. Click OK.