Salesforce connector

The Salesforce connector lets you provision, reconcile, and synchronize users between Salesforce and the IDM managed user repository.

This topic describes how to install and configure the Salesforce connector, and how to perform basic tests to ensure that it’s running correctly.

For a complete example that includes the configuration required to synchronize users with this connector, refer to Synchronize users between Salesforce and IDM.

Before you configure the Salesforce connector

The instructions in this topic assume that you have an existing Salesforce organization, a Salesforce administrative account, and a Connected App with OAuth enabled.

For instructions on setting up a Connected App, refer to the corresponding Salesforce documentation. When you have set up the Connected App, locate the Consumer Key and Consumer Secret. You will need these details to configure the connector.

The Salesforce connector is bundled with IDM and Identity Cloud and has no specific installation requirements.

Install the Salesforce connector

You can download any connector from the ForgeRock BackStage download site, but some come bundled with Identity Cloud, IDM, or RCS by default. When using a bundled connector, you can skip installing it and move directly to configuration.

Bundle availability
Connector	Identity Cloud	IDM	RCS
Salesforce connector	Yes	Yes	No

Download the connector .jar file from the ForgeRock BackStage download site.

If you are running the connector locally, place it in the /path/to/openidm/connectors directory, for example:
```
mv ~/Downloads/salesforce-connector-1.5.20.18.jar /path/to/openidm/connectors/
```
If you are using a remote connector server (RCS), place it in the /path/to/openicf/connectors directory on the RCS.

Configure the Salesforce connector

Create a connector configuration using the IDM admin UI:

From the navigation bar, click Configure > Connectors.
On the Connectors page, click New Connector.
On the New Connector page, type a Connector Name.
From the Connector Type drop-down list, select Salesforce Connector - 1.5.20.18.

Complete the Base Connector Details.

The Login URL is the OAuth endpoint used to make the OAuth authentication request to Salesforce.

When you create your connected app, you are instructed to wait 2-10 minutes for the settings to propagate across all the Salesforce data centers. If you are using a Salesforce test tenant, such as https://eu26.lightning.force.com, you can specify a custom URL here and enter the FQDN of the test tenant. This lets you test the connector without waiting for the new app settings to be propagated.

For a list of all configuration properties, refer to Salesforce Connector Configuration

The connector attempts to access your Salesforce organization.

Enter your Salesforce login credentials.
On the permission request screen, click Allow to enable IDM to access your Salesforce Connected App.
Click Save.

When your connector is configured correctly, the connector displays as Active in the admin UI.

Refer to this procedure to create a connector configuration over REST.

Configure the Salesforce connector with a configuration file

IDM provides a sample connector configuration file in the /path/to/openidm/samples/example-configurations/provisioners directory.

Copy this sample file (provisioner.openicf-salesforce.json) to your project’s conf directory and set at least the following properties, based on the grant type:

Refresh token
Client credentials

"configurationProperties" : {
    "grantType" : "refresh_token",
    "refreshToken" : "refreshToken",
    "loginUrl" : "loginURL",
    "clientSecret" : "clientSecret",
    "clientId" : "clientId",
    "instanceUrl" : "instanceURL"
}

"configurationProperties" : {
    "grantType" : "client_credentials",
    "loginUrl" : "loginURL",
    "clientSecret" : "clientSecret",
    "clientId" : "clientId",
    "instanceUrl" : "instanceURL"
}

loginUrl

The OAuth endpoint that will be used to make the OAuth authentication request to Salesforce.

The default endpoint for a production system is https://login.salesforce.com/services/oauth2/token. The default endpoint for a sandbox (test) system is https://test.salesforce.com/services/oauth2/token.

clientSecret

The Consumer Secret associated with your Connected App.

clientId

The Consumer Key associated with your Connected App.

grantType

The OAuth2 grant type to use (client_credentials or refresh_token).

client_credentials: This grant type requires clientId, clientSecret, loginURL, and instanceURL.
refresh_token: This grant type requires clientId, clientSecret, loginURL, and instanceURL, and refreshToken.

refreshToken

The admin UI gets the refreshToken automatically during connector configuration. Required when the grant type is refresh_token. To manually get the value, refer to Get the refreshToken and instanceURL.

instanceURL

The admin UI gets the instanceURL automatically during connector configuration when using the refresh_token grant type. For the client_credentials grant type, you must provide the value. This is typically a well-known value, but to manually get the value, refer to Get the refreshToken and instanceURL.

Get the `refreshToken` and `instanceURL`

Browse to the following URL:
```
SALESFORCE_URL/services/oauth2/authorize?response_type=code&client_id=CONSUMER_KEY&redirect_uri=REDIRECT_URI&scope=id+api+refresh_token
```
- SALESFORCE_URL is one of the following:
  - A production URL (https://login.salesforce.com)
  - A sandbox URL (https://test.salesforce.com)
  - A custom Salesforce MyDomain URL, such as https://ic-example-com--SUP1.cs21.my.salesforce.com
- CONSUMER_KEY is the Consumer Key associated with the Connected App that you created within your Salesforce organization.
- REDIRECT_URI is the IDM URI Salesforce should redirect to during authentication. It must match the Redirect URI specified within your Salesforce Connect App configuration, for example:
  https://localhost:8443/
You are redirected to Salesforce, and prompted to give this application access to your Salesforce account. When you have given consent, you should receive a response URL that looks similar to the following:
```
https://localhost:8443/admin/index.html#connectors/edit//&code=aPrxJZTK7Rs03PU634VK8Jn9o_U3ZY1ERxM7IiklF...
```
The &code part of this URL is an authorization code, that you need for the following step.

This authorization code expires after 10 minutes. If you do not complete the OAuth flow within that time, you will need to start this process again.

Copy the authorization code from the response URL and use it as the value of the code parameter in the following REST call. The consumer-key, redirect-uri, and SALESFORCE_URL must match what you used in the first step of this procedure:

curl \
--verbose \
--data "grant_type=authorization_code" \
--data "client_id=consumer-key" \
--data "client_secret=consumer-secret" \
--data "redirect_uri=https://localhost:8443/" \
--data "code=access-token-code" \
"SALESFORCE_URL/services/oauth2/token"
{
  "access_token": "00DS0000003K4fU!AQMAQOzEU.8tCjg8Wk79yKPKCtrtaszX5jrHtoT4NBpJ8x...",
  "signature": "2uREX1lseXdg3Vng/2+Hrlo/KHOWYoim+poj74wKFtw=",
  "refresh_token": "5Aep861KIwKdekr90I4iHdtDgWwRoG7O_6uHrgJ.yVtMS0UaGxRqE6WFM77W7...",
  "token_type": "Bearer",
  "instance_url": "https://example-com.cs1.my.salesforce.com",
  "scope": "id api refresh_token",
  "issued_at": "1417182949781",
  "id": "https://login.salesforce.com/id/00DS0000003K4fUMAS/00530000009hWLcAAM"
}

The output includes the refresh_token and instance_url you need to configure the connector.

Set "enabled" : true to enable the connector.
Save the connector configuration.

Use the Salesforce connector with a proxy server

If the IDM server is hosted behind a firewall and requests to the resource server are routed through a proxy, you must specify the proxy information in the connector configuration. The Salesforce connector supports two mutually exclusive configuration properties for specifying the proxy: proxyHost and proxyUri.

To specify the proxy server details using an HTTP scheme, set the proxyHost and proxyPort properties in the connector configuration. If the proxy requires authentication, set the proxyUsername and proxyPassword properties. For example:

"configurationProperties": {
    ...
    "proxyHost": "myproxy.example.com",
    "proxyPort": 8080,
    "proxyUsername": "hgale815",
    "proxyPassword": "password123",
    ...
}

To specify the proxy server details using a URI, set the proxyUri property in the connector configuration. The proxyUri property contains the scheme, host, and port. If the proxy requires authentication, set the proxyUsername and proxyPassword properties. For example:

"configurationProperties": {
    ...
    "proxyUri": "https://myproxy.example.com:8080",
    "proxyUsername": "hgale815",
    "proxyPassword": "password123",
    ...
}

Test the Salesforce connector

Test that the configuration is correct by running the following command:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/system/salesforce?_action=test"
{
  "name": "salesforce",
  "enabled": true,
  "config": "config/provisioner.openicf/salesforce",
  "connectorRef": {
    "bundleVersion": "[1.5.0.0,1.6.0.0)",
    "bundleName": "org.forgerock.openicf.connectors.salesforce-connector",
    "connectorName": "org.forgerock.openicf.connectors.salesforce.SalesforceConnector"
  },
  "displayName": "Salesforce Connector",
  "objectTypes": [
    "__ALL__",
    "User"
  ],
  "ok": true
}

+ If the command returns "ok": true, your connector has been configured correctly, and can authenticate to Salesforce.

Salesforce remote connector

If you want to run this connector outside of Identity Cloud or IDM, you can configure the Salesforce connector as a remote connector. Java Connectors installed remotely on a Java Connector Server function identically to those bundled locally within Identity Cloud or installed locally on IDM.

You can download the Salesforce connector from here.

Refer to Remote connectors for configuring the Salesforce remote connector.

Implementation Specifics

For PATCH requests, a connector can potentially add, remove, or replace an attribute value. The Salesforce connector does not implement the add or remove operations, so a PATCH request always replaces the entire attribute value with the new value. Salesforce does not support multi-valued attributes.
Attributes themselves cannot be removed from Salesforce. The connector therefore performs an update with "" as the value of the attribute being removed. This sets the value of the removed attribute to null.

Salesforce does not support application user DELETE requests.
The Salesforce connector supports any Salesforce object that is available to the API. To check which objects are available, log in to Salesforce Workbench to access the API explorer. This URL points to Version 49 of the API. Adjust the URL for the latest API version.

Because the number of Salesforce objects is potentially very large, the Salesforce connector configuration includes a supportedObjectTypes property that lets you specify the objects you want to support. The connector checks the metadata in Salesforce for each of the objects you list in this property, and dynamically builds the required schema. The sample connector configuration file (provisioner.openicf-salesforce.json) generates the schema only for the User object:
```
{
    ...
    "configurationProperties": {
        ...
        "supportedObjectTypes": [
            "User"
        ]
    },
}
```
You can add any object to the list of supportedObjectTypes, and the connector will build the schema for that object.
The Salesforce API restricts how query results can be paged. The default, and maximum page size is 2000. The minimum page size is 200. The Salesforce API does not guarantee that the requested page size is the actual page size. Returned results might vary, to maximize performance.

For example, the following query (with "pageSize=1") might return more than one user if more than one user exists in Salesforce:
```
http://localhost:8080/openidm/system/salesforce/user?_queryId=query-all-ids&_pageSize=1
```
For more information, refer to the Salesforce documentation.

Permission sets and groups

The Salesforce connector can display and allow you to interact with a user’s groups and permissions on the user’s data model. This is done through the __PermissionSetIds__ and __GroupIds__ attributes.

Configure permission sets and groups

To configure these attributes, add the following to the user object in your provisioner file:

[...]
    "__PermissionSetIds__" : {
        "type" : "array",
        "items" : {
            "type" : "string",
            "nativeType" : "string"
        },
        "nativeName" : "__PermissionSetIds__",
        "nativeType" : "string",
        "absentIfEmpty" : true,
        "flags" : [
            "NOT_RETURNED_BY_DEFAULT"
        ]
    },
    "__GroupIds__" : {
        "type" : "array",
        "items" : {
            "type" : "string",
            "nativeType" : "string"
        },
        "nativeName" : "__GroupIds__",
        "nativeType" : "string",
        "absentIfEmpty" : true,
        "flags" : [
            "NOT_RETURNED_BY_DEFAULT"
        ]
    }

Both __PermissionSetIds__ and __GroupIds__ should have the NOT_RETURNED_BY_DEFAULT flag enabled.

Get a user’s permission sets and groups

When getting a user object, you must specifically request that the system return the __PermissionSetIds__ and __GroupIds__ fields. For example:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
"https://localhost:8443/openidm/system/salesforce/User?_queryFilter=Alias+eq+"bjensen"&_fields=_id,__PermissionSetIds__,__GroupIds__"

Salesforce assigns a default permission set to each created user.

Create a user with permissions sets and groups

To create a user object with associated permissions and groups, include the __PermissionSetIds__ and __GroupIds__ fields in the POST request. These fields are an array of strings.

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
--data '{
  "Username": "bjensen@example.com",
  "LastName": "Jensen",
  "Email": "bjensen@example.com",
  "Alias": "bjensen",
  "LocaleSidKey": "en_US",
  "LanguageLocaleKey": "en_US",
  "FirstName": "Barbara"
  "TimeZoneSidKey": "America/Los_Angeles",
  "CommunityNickname": "bjensen"
  "ProfileId": "00e200000001ehhP"
  "__PermissionSetIds__": ["0P50300000QIbGAM"],
  "__GroupIds__": ["0J40700000DIg3Hm"]
}' \
"https://localhost:8443/openidm/system/salesforce/User?_action=create"

Update a user’s permission sets and groups

You can update a user’s permission sets and groups through the API using a PUT call. The following request adds a permission set and group to scarter, a user with id 00503000002XmQqAAK.

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request PUT \
--data '{
    "OutOfOfficeMessage": "",
    "LastName": "Carter",
    "UserPreferencesSortFeedByComment": true,
    "UserPreferencesPathAssistantCollapsed": false,
    "BannerPhotoUrl": "/profilephoto/005/B",
    "EmailPreferencesAutoBcc": true,
    "TimeZoneSidKey": "America/Los_Angeles",
    "UserPreferencesHideLightningMigrationModal": false,
    "UserPreferencesFavoritesWTShown": false,
    "MediumPhotoUrl": "https://example.force.com/profilephoto/005/M",
    "UserPreferencesHideS1BrowserUI": false,
    "UserType": "Standard",
    "UserPreferencesDisableSharePostEmail": false,
    "UserPreferencesCreateLEXAppsWTShown": false,
    "UserPreferencesApexPagesDeveloperMode": false,
    "EmailPreferencesStayInTouchReminder": true,
    "UserPreferencesDisMentionsCommentEmail": false,
    "UserPreferencesShowMobilePhoneToExternalUsers": false,
    "Username": "scarter@example.com",
    "EmailEncodingKey": "UTF-8",
    "UserPreferencesShowFaxToExternalUsers": false,
    "UserPreferencesSuppressTaskSFXReminders": false,
    "UserPreferencesShowStateToGuestUsers": false,
    "UserPreferencesHideSfxWelcomeMat": true,
    "LanguageLocaleKey": "en_US",
    "UserPreferencesShowManagerToExternalUsers": false,
    "LastViewedDate": "2022-11-09T17:15:08.000+0000",
    "UserPermissionsAvantgoUser": false,
    "UserPreferencesHideCSNGetChatterMobileTask": false,
    "UserPreferencesPipelineViewHideHelpPopover": false,
    "UserPreferencesDisableLikeEmail": true,
    "UserPermissionsSupportUser": false,
    "UserPermissionsChatterAnswersUser": false,
    "FirstName": "Sam",
    "ForecastEnabled": false,
    "ReceivesAdminInfoEmails": false,
    "UserPreferencesDisableAllFeedsEmail": false,
    "LocaleSidKey": "en_US",
    "UserPreferencesHideCSNDesktopTask": false,
    "SystemModstamp": "2022-11-09T17:14:58.000+0000",
    "Id": "00503000002XmQqAAK",
    "UserPreferencesLightningExperiencePreferred": true,
    "UserPreferencesDisableBookmarkEmail": false,
    "UserPreferencesEventRemindersCheckboxDefault": true,
    "UserPreferencesDisableMentionsPostEmail": false,
    "CommunityNickname": "scarter",
    "UserPreferencesShowCityToExternalUsers": false,
    "UserPreferencesShowStreetAddressToExternalUsers": false,
    "IsProfilePhotoActive": false,
    "UserPreferencesDisProfPostCommentEmail": false,
    "CreatedById": "00530000009hWLcAAM",
    "UserPermissionsMobileUser": false,
    "UserPreferencesDisableLaterCommentEmail": false,
    "UserPreferencesShowMobilePhoneToGuestUsers": false,
    "UserPreferencesPreviewCustomTheme": false,
    "UserPermissionsCallCenterAutoLogin": false,
    "UserPreferencesPreviewLightning": false,
    "IsActive": true,
    "UserPreferencesDisableFileShareNotificationsForApi": false,
    "BadgeText": "",
    "UserPreferencesShowFaxToGuestUsers": false,
    "UserPreferencesHasCelebrationBadge": false,
    "UserPreferencesTaskRemindersCheckboxDefault": true,
    "LastReferencedDate": "2022-11-09T17:15:08.000+0000",
    "UserPreferencesDisableChangeCommentEmail": false,
    "FullPhotoUrl": "https://example.force.com/profilephoto/005/F",
    "UserPreferencesDisableEndorsementEmail": false,
    "UserPreferencesActivityRemindersPopup": true,
    "UserPreferencesEnableAutoSubForFeeds": false,
    "UserPreferencesShowStateToExternalUsers": false,
    "UserPermissionsOfflineUser": false,
    "UserPreferencesDisCommentAfterLikeEmail": false,
    "UserPreferencesShowTitleToGuestUsers": false,
    "SmallBannerPhotoUrl": "/profilephoto/005/D",
    "UserPreferencesShowWorkPhoneToExternalUsers": false,
    "MediumBannerPhotoUrl": "/profilephoto/005/E",
    "UserPreferencesShowProfilePicToGuestUsers": false,
    "UserPreferencesShowCountryToGuestUsers": false,
    "EmailPreferencesAutoBccStayInTouch": false,
    "UserPreferencesShowEmailToExternalUsers": false,
    "UserPreferencesShowWorkPhoneToGuestUsers": false,
    "UserPreferencesReminderSoundOff": false,
    "UserPreferencesUserDebugModePref": false,
    "LastModifiedById": "00530000009hWLcAAM",
    "UserPreferencesDisableFollowersEmail": false,
    "UserPreferencesHideEndUserOnboardingAssistantModal": false,
    "UserPreferencesShowStreetAddressToGuestUsers": false,
    "ReceivesInfoEmails": false,
    "UserPreferencesShowManagerToGuestUsers": false,
    "UserPreferencesExcludeMailAppAttachments": false,
    "UserPreferencesShowEmailToGuestUsers": false,
    "DigestFrequency": "D",
    "UserPreferencesRecordHomeReservedWTShown": false,
    "UserPermissionsMarketingUser": false,
    "UserPreferencesHideBiggerPhotoCallout": false,
    "UserPreferencesDisableProfilePostEmail": false,
    "UserPreferencesShowPostalCodeToExternalUsers": false,
    "LastModifiedDate": "2022-11-09T17:14:57.000+0000",
    "ProfileId": "00e30000001ehhPAAQ",
    "Name": "Sam Carter",
    "UserPreferencesNewLightningReportRunPageEnabled": false,
    "UserPermissionsSFContentUser": false,
    "UserPreferencesShowTitleToExternalUsers": true,
    "UserPreferencesGlobalNavBarWTShown": false,
    "UserPreferencesShowCityToGuestUsers": false,
    "UserPreferencesRecordHomeSectionCollapseWTShown": false,
    "Alias": "scarter",
    "DefaultGroupNotificationFrequency": "N",
    "__NAME__": "00503000002XmQqAAK",
    "UserPreferencesShowPostalCodeToGuestUsers": false,
    "UserPreferencesGlobalNavGridMenuWTShown": false,
    "UserPreferencesHideChatterOnboardingSplash": false,
    "UserPreferencesSuppressEventSFXReminders": false,
    "UserPreferencesFavoritesShowTopFavorites": false,
    "UserPreferencesDisableMessageEmail": false,
    "UserPreferencesCacheDiagnostics": false,
    "SmallPhotoUrl": "https://example.force.com/profilephoto/005/T",
    "IsExtIndicatorVisible": false,
    "Email": "scarter@example.com",
    "UserPreferencesShowCountryToExternalUsers": false,
    "CreatedDate": "2022-11-09T17:14:57.000+0000",
    "UserPreferencesHideSecondChatterOnboardingSplash": false,
    "__PermissionSetIds__": [
        "0PS30000000LFR9GAO"
    ],
    "__GroupIds__": [
        "00G03000001V8p5EAC"
    ]
}' \
"https://localhost:8443/openidm/system/salesforce/User/00503000002XmQqAAK"

Feature licenses

The Salesforce connector can query all supported feature licenses and return details of individual feature licenses. The feature licenses available to your organization depend on your Salesforce instance. For more information, refer to View Your Organization’s Feature Licenses in the Salesforce help site.

Configure supported feature licenses

To configure supported feature licenses, make the following changes to your connector configuration (provisioner.openicf-salesforce.json):

Add the supported feature licenses. For a complete list of licenses, refer to supportedFeatureLicenses in the Salesforce Connector Configuration.

For example, to add UserPermissionsOfflineUser, UserPermissionsMarketingUser, and UserPermissionsWorkDotComUserFeature as supported feature licenses:
```
"supportedFeatureLicenses": [
    "UserPermissionsOfflineUser",
    "UserPermissionsMarketingUser",
    "UserPermissionsWorkDotComUserFeature"
]
```

Add the __FeatureLicenses__ property to the User object:

"User" : {
    ...
    "properties" : {
        "__NAME__" : {
            "type" : "string",
            "nativeName" : "__NAME__",
            "nativeType" : "string"
        },
        "Id" : {
            "type" : "string",
            "nativeName" : "Id",
            "nativeType" : "string"
        },
        "__FeatureLicenses__" : {
            "type" : "array",
            "items" : {
                "type" : "string",
                "nativeType" : "string"
            },
            "nativeName" : "__FeatureLicenses__",
            "nativeType" : "string",
            "absentIfEmpty" : true,
            "flags" : [
                "NOT_RETURNED_BY_DEFAULT"
            ]
        },
        ...

Get a user’s feature licenses

When getting a user object, you must specifically request the system return the __FeatureLicenses__ field. For example:

Request

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
"https://localhost:8443/openidm/system/salesforce/User?_queryFilter=Alias+eq+"birdch"&_fields=_id,__FeatureLicenses__"

Return

{
  "result": [
    {
      "_id": "00503000004PDoeAAG",
      "__FeatureLicenses__": [
        "UserPermissionsOfflineUser"
      ]
    }
  ],
  "resultCount": 1,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": -1
}

Create a user with feature licenses

To create a user object with associated feature licenses, include the __FeatureLicenses__ field in the POST request. This field is an array of strings.

Request

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
--data '{
  "Username": "birdyjbirch@example.com",
  "LastName": "birdyjbirch",
  "Email": "birdyjbirch@example.com",
  "Alias": "birdch",
  "LocaleSidKey": "en_US",
  "LanguageLocaleKey": "en_US",
  "EmailEncodingKey": "UTF-8",
  "FirstName": "birdyjbirch",
  "TimeZoneSidKey": "America/Los_Angeles",
  "CommunityNickname": "birdyjbirch",
  "ProfileId": "00e30000001ehhPAAQ",
  "__FeatureLicenses__": ["UserPermissionsOfflineUser"]
}' \
"https://localhost:8443/openidm/system/salesforce/User?_action=create"

Return

{
  "_id": "00503000004PDoeAAG",
  "UserPreferencesShowStreetAddressToExternalUsers": false,
  "ForecastEnabled": false,
  "DigestFrequency": "D",
  "UserPreferencesPipelineViewHideHelpPopover": false,
  "UserPermissionsMarketingUser": false,
  "UserPreferencesPreviewCustomTheme": false,
  "UserPreferencesDisMentionsCommentEmail": false,
  "UserPreferencesShowMobilePhoneToGuestUsers": false,
  "UserPermissionsCallCenterAutoLogin": false,
  "UserPreferencesApexPagesDeveloperMode": false,
  "UserPreferencesShowCountryToGuestUsers": false,
  "Id": "00503000004PDoeAAG",
  "UserPreferencesHasCelebrationBadge": false,
  "UserPreferencesShowPostalCodeToExternalUsers": false,
  "IsExtIndicatorVisible": false,
  "BadgeText": "",
  "UserPreferencesDisableProfilePostEmail": false,
  "Username": "birdyjbirch@example.com",
  "UserPreferencesLightningExperiencePreferred": true,
  "UserPreferencesShowWorkPhoneToExternalUsers": false,
  "EmailPreferencesStayInTouchReminder": true,
  "UserPreferencesHideLightningMigrationModal": false,
  "UserPreferencesGlobalNavGridMenuWTShown": false,
  "EmailEncodingKey": "UTF-8",
  "UserPreferencesDisProfPostCommentEmail": false,
  "UserPreferencesHideCSNDesktopTask": false,
  "LastModifiedById": "00530000009hWLcAAM",
  "UserPreferencesShowStreetAddressToGuestUsers": false,
  "UserPreferencesHideBiggerPhotoCallout": false,
  "UserPreferencesShowWorkPhoneToGuestUsers": false,
  "UserPreferencesSuppressEventSFXReminders": false,
  "UserPreferencesShowManagerToExternalUsers": false,
  "UserPreferencesShowPostalCodeToGuestUsers": false,
  "UserPermissionsMobileUser": false,
  "CreatedDate": "2023-07-21T23:39:02.000+0000",
  "UserPreferencesFavoritesWTShown": false,
  "UserPreferencesDisableLikeEmail": true,
  "UserPreferencesShowMobilePhoneToExternalUsers": false,
  "UserPreferencesDisableSharePostEmail": false,
  "IsActive": true,
  "LastName": "birdyjbirch",
  "FirstName": "birdyjbirch",
  "DefaultGroupNotificationFrequency": "N",
  "UserPermissionsAvantgoUser": false,
  "UserPreferencesHideCSNGetChatterMobileTask": false,
  "CommunityNickname": "birdyjbirch",
  "UserPreferencesShowCityToGuestUsers": false,
  "UserPreferencesShowEmailToGuestUsers": false,
  "UserPreferencesDisableChangeCommentEmail": false,
  "UserPreferencesHideSfxWelcomeMat": true,
  "EmailPreferencesAutoBcc": true,
  "BannerPhotoUrl": "/profilephoto/005/B",
  "UserPreferencesCacheDiagnostics": false,
  "UserPreferencesHideEndUserOnboardingAssistantModal": false,
  "UserPreferencesShowCityToExternalUsers": false,
  "UserPermissionsSupportUser": false,
  "UserPreferencesShowProfilePicToGuestUsers": false,
  "SmallPhotoUrl": "https://example.force.com/profilephoto/005/T",
  "UserPreferencesShowTitleToGuestUsers": false,
  "SystemModstamp": "2023-07-21T23:39:02.000+0000",
  "UserPreferencesDisableLaterCommentEmail": false,
  "LocaleSidKey": "en_US",
  "UserPreferencesSuppressTaskSFXReminders": false,
  "UserPreferencesDisableBookmarkEmail": false,
  "__NAME__": "00503000004PDoeAAG",
  "UserPermissionsOfflineUser": true, (1)
  "UserPreferencesActivityRemindersPopup": true,
  "UserPreferencesEnableAutoSubForFeeds": false,
  "UserPreferencesShowEmailToExternalUsers": false,
  "UserPreferencesReminderSoundOff": false,
  "UserPreferencesCreateLEXAppsWTShown": false,
  "UserPreferencesDisableMentionsPostEmail": false,
  "UserPreferencesExcludeMailAppAttachments": false,
  "OutOfOfficeMessage": "",
  "SmallBannerPhotoUrl": "/profilephoto/005/D",
  "UserPreferencesDisableFileShareNotificationsForApi": false,
  "UserPreferencesEventRemindersCheckboxDefault": true,
  "UserPreferencesRecordHomeSectionCollapseWTShown": false,
  "MediumBannerPhotoUrl": "/profilephoto/005/E",
  "UserPreferencesUserDebugModePref": false,
  "UserPreferencesHideS1BrowserUI": false,
  "MediumPhotoUrl": "https://example.force.com/profilephoto/005/M",
  "UserPreferencesPathAssistantCollapsed": false,
  "Email": "birdyjbirch@example.com",
  "UserType": "Standard",
  "UserPreferencesDisableMessageEmail": false,
  "ReceivesInfoEmails": false,
  "EmailPreferencesAutoBccStayInTouch": false,
  "UserPreferencesShowManagerToGuestUsers": false,
  "IsProfilePhotoActive": false,
  "LastModifiedDate": "2023-07-21T23:39:02.000+0000",
  "UserPreferencesTaskRemindersCheckboxDefault": true,
  "UserPreferencesDisableEndorsementEmail": false,
  "FullPhotoUrl": "https://example.force.com/profilephoto/005/F",
  "Name": "birdyjbirch birdyjbirch",
  "UserPreferencesDisCommentAfterLikeEmail": false,
  "UserPreferencesShowFaxToExternalUsers": false,
  "UserPreferencesSortFeedByComment": true,
  "UserPreferencesRecordHomeReservedWTShown": false,
  "UserPreferencesGlobalNavBarWTShown": false,
  "TimeZoneSidKey": "America/Los_Angeles",
  "UserPreferencesShowFaxToGuestUsers": false,
  "ProfileId": "00e30000001ehhPAAQ",
  "UserPreferencesHideSecondChatterOnboardingSplash": false,
  "UserPreferencesShowTitleToExternalUsers": true,
  "UserPreferencesNewLightningReportRunPageEnabled": false,
  "UserPermissionsChatterAnswersUser": false,
  "LanguageLocaleKey": "en_US",
  "ReceivesAdminInfoEmails": false,
  "UserPreferencesShowStateToGuestUsers": false,
  "Alias": "birdch",
  "UserPreferencesPreviewLightning": false,
  "UserPreferencesHideChatterOnboardingSplash": false,
  "UserPreferencesShowStateToExternalUsers": false,
  "CreatedById": "00530000009hWLcAAM",
  "UserPreferencesDisableFollowersEmail": false,
  "UserPreferencesDisableAllFeedsEmail": false,
  "UserPermissionsSFContentUser": false,
  "UserPreferencesShowCountryToExternalUsers": false,
  "UserPreferencesFavoritesShowTopFavorites": false
}

1	`UserPermissionsOfflineUser` is now `true`.

Update a user’s feature licenses

You can update a user’s feature licenses through the API using a PUT call. The following request adds a feature license to birdj, a user with id 00503000004PDmsAAG:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request PUT \
--data '{
  "UserPreferencesShowStreetAddressToExternalUsers": false,
  "ForecastEnabled": false,
  "DigestFrequency": "D",
  "UserPreferencesPipelineViewHideHelpPopover": false,
  "UserPermissionsMarketingUser": false,
  "LastReferencedDate": "2023-07-21T23:29:42.000+0000",
  "UserPreferencesPreviewCustomTheme": false,
  "UserPreferencesDisMentionsCommentEmail": false,
  "UserPreferencesShowMobilePhoneToGuestUsers": false,
  "UserPermissionsCallCenterAutoLogin": false,
  "UserPreferencesApexPagesDeveloperMode": false,
  "UserPreferencesShowCountryToGuestUsers": false,
  "Id": "00503000004PDmsAAG",
  "UserPreferencesHasCelebrationBadge": false,
  "UserPreferencesShowPostalCodeToExternalUsers": false,
  "IsExtIndicatorVisible": false,
  "BadgeText": "",
  "UserPreferencesDisableProfilePostEmail": false,
  "Username": "birdyjbird@example.com",
  "UserPreferencesLightningExperiencePreferred": true,
  "UserPreferencesShowWorkPhoneToExternalUsers": false,
  "EmailPreferencesStayInTouchReminder": true,
  "UserPreferencesHideLightningMigrationModal": false,
  "UserPreferencesGlobalNavGridMenuWTShown": false,
  "EmailEncodingKey": "UTF-8",
  "UserPreferencesDisProfPostCommentEmail": false,
  "UserPreferencesHideCSNDesktopTask": false,
  "LastModifiedById": "00530000009hWLcAAM",
  "UserPreferencesShowStreetAddressToGuestUsers": false,
  "UserPreferencesHideBiggerPhotoCallout": false,
  "UserPreferencesShowWorkPhoneToGuestUsers": false,
  "UserPreferencesSuppressEventSFXReminders": false,
  "UserPreferencesShowManagerToExternalUsers": false,
  "UserPreferencesShowPostalCodeToGuestUsers": false,
  "UserPermissionsMobileUser": false,
  "CreatedDate": "2023-07-21T23:29:41.000+0000",
  "UserPreferencesFavoritesWTShown": false,
  "UserPreferencesDisableLikeEmail": true,
  "UserPreferencesShowMobilePhoneToExternalUsers": false,
  "UserPreferencesDisableSharePostEmail": false,
  "IsActive": true,
  "LastName": "birdyjbird",
  "FirstName": "birdyjbird",
  "DefaultGroupNotificationFrequency": "N",
  "UserPermissionsAvantgoUser": false,
  "UserPreferencesHideCSNGetChatterMobileTask": false,
  "CommunityNickname": "birdyjbird",
  "UserPreferencesShowCityToGuestUsers": false,
  "UserPreferencesShowEmailToGuestUsers": false,
  "UserPreferencesDisableChangeCommentEmail": false,
  "UserPreferencesHideSfxWelcomeMat": true,
  "EmailPreferencesAutoBcc": true,
  "LastViewedDate": "2023-07-21T23:29:42.000+0000",
  "BannerPhotoUrl": "/profilephoto/005/B",
  "UserPreferencesCacheDiagnostics": false,
  "UserPreferencesHideEndUserOnboardingAssistantModal": false,
  "UserPreferencesShowCityToExternalUsers": false,
  "UserPermissionsSupportUser": false,
  "UserPreferencesShowProfilePicToGuestUsers": false,
  "SmallPhotoUrl": "https://example.force.com/profilephoto/005/T",
  "UserPreferencesShowTitleToGuestUsers": false,
  "SystemModstamp": "2023-07-21T23:29:41.000+0000",
  "UserPreferencesDisableLaterCommentEmail": false,
  "LocaleSidKey": "en_US",
  "UserPreferencesSuppressTaskSFXReminders": false,
  "UserPreferencesDisableBookmarkEmail": false,
  "__NAME__": "00503000004PDmsAAG",
  "UserPermissionsOfflineUser": false,
  "UserPreferencesActivityRemindersPopup": true,
  "UserPreferencesEnableAutoSubForFeeds": false,
  "UserPreferencesShowEmailToExternalUsers": false,
  "UserPreferencesReminderSoundOff": false,
  "UserPreferencesCreateLEXAppsWTShown": false,
  "UserPreferencesDisableMentionsPostEmail": false,
  "UserPreferencesExcludeMailAppAttachments": false,
  "OutOfOfficeMessage": "",
  "SmallBannerPhotoUrl": "/profilephoto/005/D",
  "UserPreferencesDisableFileShareNotificationsForApi": false,
  "UserPreferencesEventRemindersCheckboxDefault": true,
  "UserPreferencesRecordHomeSectionCollapseWTShown": false,
  "MediumBannerPhotoUrl": "/profilephoto/005/E",
  "UserPreferencesUserDebugModePref": false,
  "UserPreferencesHideS1BrowserUI": false,
  "MediumPhotoUrl": "https://example.force.com/profilephoto/005/M",
  "UserPreferencesPathAssistantCollapsed": false,
  "Email": "birdyjbird@example.com",
  "UserType": "Standard",
  "UserPreferencesDisableMessageEmail": false,
  "ReceivesInfoEmails": false,
  "EmailPreferencesAutoBccStayInTouch": false,
  "UserPreferencesShowManagerToGuestUsers": false,
  "IsProfilePhotoActive": false,
  "LastModifiedDate": "2023-07-21T23:29:41.000+0000",
  "UserPreferencesTaskRemindersCheckboxDefault": true,
  "UserPreferencesDisableEndorsementEmail": false,
  "FullPhotoUrl": "https://example.force.com/profilephoto/005/F",
  "Name": "birdyjbird birdyjbird",
  "UserPreferencesDisCommentAfterLikeEmail": false,
  "UserPreferencesShowFaxToExternalUsers": false,
  "UserPreferencesSortFeedByComment": true,
  "UserPreferencesRecordHomeReservedWTShown": false,
  "UserPreferencesGlobalNavBarWTShown": false,
  "TimeZoneSidKey": "America/Los_Angeles",
  "UserPreferencesShowFaxToGuestUsers": false,
  "ProfileId": "00e30000001ehhPAAQ",
  "UserPreferencesHideSecondChatterOnboardingSplash": false,
  "UserPreferencesShowTitleToExternalUsers": true,
  "UserPreferencesNewLightningReportRunPageEnabled": false,
  "UserPermissionsChatterAnswersUser": false,
  "LanguageLocaleKey": "en_US",
  "ReceivesAdminInfoEmails": false,
  "UserPreferencesShowStateToGuestUsers": false,
  "Alias": "birdj",
  "UserPreferencesPreviewLightning": false,
  "UserPreferencesHideChatterOnboardingSplash": false,
  "UserPreferencesShowStateToExternalUsers": false,
  "CreatedById": "00530000009hWLcAAM",
  "UserPreferencesDisableFollowersEmail": false,
  "UserPreferencesDisableAllFeedsEmail": false,
  "UserPermissionsSFContentUser": false,
  "UserPreferencesShowCountryToExternalUsers": false,
  "UserPreferencesFavoritesShowTopFavorites": false,
  "__FeatureLicenses__": [ (1)
    "UserPermissionsOfflineUser"
  ]
}' \
"https://localhost:8443/openidm/system/salesforce/User/00503000004PDmsAAG"

1	The `__FeatureLicenses__` array of strings to add to the user.

Query all supported feature licenses

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
"http://localhost:8080/openidm/system/salesforce/FeatureLicense?_queryFilter=true"
{
  "result": [
    {
      "_id": "UserPermissionsOfflineUser",
      "__NAME__": "UserPermissionsOfflineUser"
    },
    {
      "_id": "UserPermissionsMarketingUser",
      "__NAME__": "UserPermissionsMarketingUser"
    },
    {
      "_id": "UserPermissionsInteractionUser",
      "__NAME__": "UserPermissionsInteractionUser"
    }
  ],
  "resultCount": 3,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": -1
}

Read a feature license

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
"http://localhost:8080/openidm/system/salesforce/FeatureLicense/UserPermissionsMarketingUser"
{
  "_id": "UserPermissionsMarketingUser",
  "__NAME__": "UserPermissionsMarketingUser"
}

OpenICF Interfaces Implemented by the Salesforce Connector

The Salesforce Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:

Create

Creates an object and its uid.

Delete

Deletes an object, referenced by its uid.

Schema

Describes the object types, operations, and options that the connector supports.

Script on Connector

Enables an application to run a script in the context of the connector.

Any script that runs on the connector has the following characteristics:

The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.
The script has access to any script arguments passed in by the application.

Search

Searches the target resource for all objects that match the specified object class and filter.

Sync

Polls the target resource for synchronization events, that is, native changes to objects on the target resource.

Test

Tests the connector configuration.

Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.

This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).

You can invoke the test operation before a connector configuration has been validated.

Update

Updates (modifies or replaces) objects on a target resource.

Salesforce Connector Configuration

The Salesforce Connector has the following configurable properties:

Basic Configuration Properties

Property Type Default Encrypted⁽¹⁾ Required⁽²⁾

Property	Type	Default	Encrypted⁽¹⁾	Required⁽²⁾
`clientId`	`String`	`null`		Yes
The client identifier.
`clientSecret`	`GuardedString`	`null`	Yes	Yes
The secure client secret for OAUTH.
`grantType`	`String`	`refresh_token`		Yes
The OAuth2 grant type to use (client_credentials or refresh_token).
`refreshToken`	`GuardedString`	`null`	Yes	No
The refresh token for the application. Required for refresh_token grant type.
`loginUrl`	`String`	`https://login.salesforce.com/services/oauth2/token`		Yes
The endpoint from which a new access token should be queried (https://login.salesforce.com/services/oauth2/token).
`instanceUrl`	`String`	`null`		Yes
The URL of the Salesforce instance (such as https://example-com.cs1.my.salesforce.com).
`version`	`double`	`48.0`		No
The Salesforce API version.
`connectTimeout`	`long`	`120000`		No
The maximum connection timeout.
`proxyHost`	`String`	`null`		No
The hostname of an HTTP proxy used between the connector and the Salesforce service provider. Mutually exclusive with proxyUri and uses http scheme.
`proxyPort`	`Integer`	`3128`		No
The proxy port number, if an HTTP proxy is used between the connector and the Salesforce service provider.
`maximumConnections`	`int`	`10`		No
The maximum size of the HTTP connection pool.
`supportedObjectTypes`	`String[]`	`[]`		No
Defines a list of Salesforce objects that will be used to dynamically build the provisioner schema.
`proxyUri`	`String`	`null`		No
The URI of an HTTP proxy that contains the scheme, host, and port number for that proxy. Mutually exclusive with proxyHost.
`proxyUsername`	`String`	`null`		No
The proxy username to use with a proxy that requires authentication.
`proxyPassword`	`GuardedString`	`null`	Yes	No
The proxy user password to use with a proxy that requires authentication.
`supportedFeatureLicenses`	`String[]`	`['UserPermissionsChatterAnswersUser', 'UserPermissionsInteractionUser', 'UserPermissionsKnowledgeUser', 'UserPermissionsLiveAgentUser', 'UserPermissionsMarketingUser', 'UserPermissionsOfflineUser', 'UserPermissionsSFContentUser', 'UserPermissionsSupportUser', 'UserPermissionsSiteforceContributorUser', 'UserPermissionsSiteforcePublisherUser', 'UserPermissionsWorkDotComUserFeature']`		No
Defines a list of Salesforce feature licenses that can be assigned.

clientId

String

null

Yes

The client identifier.

clientSecret

GuardedString

null

Yes

The secure client secret for OAUTH.

grantType

String

refresh_token

Yes

The OAuth2 grant type to use (client_credentials or refresh_token).

refreshToken

GuardedString

null

Yes

The refresh token for the application. Required for refresh_token grant type.

loginUrl

String

https://login.salesforce.com/services/oauth2/token

Yes

The endpoint from which a new access token should be queried (https://login.salesforce.com/services/oauth2/token).

instanceUrl

String

null

Yes

The URL of the Salesforce instance (such as https://example-com.cs1.my.salesforce.com).

version

double

48.0

The Salesforce API version.

connectTimeout

long

120000

The maximum connection timeout.

proxyHost

String

null

The hostname of an HTTP proxy used between the connector and the Salesforce service provider. Mutually exclusive with proxyUri and uses http scheme.

proxyPort

Integer

3128

The proxy port number, if an HTTP proxy is used between the connector and the Salesforce service provider.

maximumConnections

int

10

The maximum size of the HTTP connection pool.

supportedObjectTypes

String[]

[]

Defines a list of Salesforce objects that will be used to dynamically build the provisioner schema.

proxyUri

String

null

The URI of an HTTP proxy that contains the scheme, host, and port number for that proxy. Mutually exclusive with proxyHost.

proxyUsername

String

null

The proxy username to use with a proxy that requires authentication.

proxyPassword

GuardedString

null

Yes

The proxy user password to use with a proxy that requires authentication.

supportedFeatureLicenses

String[]

['UserPermissionsChatterAnswersUser', 'UserPermissionsInteractionUser', 'UserPermissionsKnowledgeUser', 'UserPermissionsLiveAgentUser', 'UserPermissionsMarketingUser', 'UserPermissionsOfflineUser', 'UserPermissionsSFContentUser', 'UserPermissionsSupportUser', 'UserPermissionsSiteforceContributorUser', 'UserPermissionsSiteforcePublisherUser', 'UserPermissionsWorkDotComUserFeature']

Defines a list of Salesforce feature licenses that can be assigned.

⁽¹⁾ Whether the property value is considered confidential, and is therefore encrypted in IDM.

⁽²⁾ A list of operations in this column indicates that the property is required for those operations.

ICF 1.5.20.19

Salesforce connector

Before you configure the Salesforce connector

Install the Salesforce connector

Configure the Salesforce connector

Configure the Salesforce connector with a configuration file

Get the refreshToken and instanceURL

Use the Salesforce connector with a proxy server

Test the Salesforce connector

Salesforce remote connector

Implementation Specifics

Permission sets and groups

Configure permission sets and groups

Get a user’s permission sets and groups

Create a user with permissions sets and groups

Update a user’s permission sets and groups

Feature licenses

Configure supported feature licenses

Get a user’s feature licenses

Create a user with feature licenses

Update a user’s feature licenses

Query all supported feature licenses

Read a feature license

OpenICF Interfaces Implemented by the Salesforce Connector

Salesforce Connector Configuration

Basic Configuration Properties

Get the `refreshToken` and `instanceURL`