The Silverline BlogExpert Salesforce tips & tricks, articles and musings. Sprinkled with fun.

The Pros and Cons of SSO with Salesforce Identity Connect

Help & Training

Identity Connect Security

What is Salesforce Identity Connect?

Salesforce Identity Connect is an Identity Provider that allows businesses to connect their Active Directory network with Salesforce. Once installed, Salesforce users and Active Directory users can be synchronized, and steps can be taken to simplify or eliminate the Salesforce login process without compromising security.

Pro: User Administration in Salesforce Reduced or Eliminated

Once Identity Connect is setup you can create a user in Active Directory and assign it to the appropriate user groups. Once this happens a matching user is created with the correct user information, profile, and permission set assignments without any additional effort on the part of the Salesforce Administrator. If desired, user fields can still be controlled in Salesforce and changes to profile and permission set assignments can be reflected in user group assignments back in Active Directory. This allows user administration in Salesforce to be reduced or eliminated.

Con: Required Fields Must Be Administered Through Active Directory

Any user fields that are required in Salesforce must be administered in Active Directory. These fields have to be mapped from the Active Directory user to the Salesforce user so that users can be created automatically in Salesforce when they are created in Active Directory. As a result, if the value of a required user field (or any field that is mapped from Active Directory to Salesforce) is updated in Salesforce, it will be rolled back to whatever the value is in Active Directory. This can be a pain point for fields such as username and email if, for whatever reason, a user’s username in salesforce needs to be different from their email. Normally the Active Directory ‘mail’ field can be mapped to both. On the other hand, if any user needs to have a different email and username, a new user field needs to be created in Active Directory.

Pro: Salesforce Login Page Eliminated Without Compromising Security

Identity Connect can be setup with Integrated Windows Authentication (IWA) to allow users to be automatically logged into Salesforce when they are logged in to Active Directory. This is done by configuring the user’s browser to navigate to a login link on startup. If their Active Directory user is synced to a user in Salesforce, they will be redirected to Salesforce. This can be immensely powerful in driving user adoption if your organization is new to the Salesforce platform, or if your employees simply do not use it as much as you would like. Security is not compromised because the user must be logged into Active Directory for the login link to work.

Con: Only One Salesforce Org Can Be Configured for Automatic Login

While you can setup Identity Connect to connect multiple Salesforce instances to your Active Directory network, only one login link is provided. This means that once IWA is setup and the login link is configured to open when the user starts their web browser, the user will have to select which Salesforce instance to be logged into. If your intention is to drive user adoption across multiple Salesforce instances, this will reduce the effectiveness of Identity Connect.

Pro: Identity Provider and CRM Are on the Same Platform

Identity Connect is owned by Salesforce, which means support for Identity Connect is run through the same Salesforce Support service as the CRM application. This means that the Identity Connect support team is more invested in your success than another Identity Provider because your experience with Identity Connect influences your overall satisfaction with Salesforce. This is also an advantage when dealing with an issue that could be potentially be attributed to the CRM application or the Identity service. You will never need to guess which vendor to log a case with, or have to log a new case with another vendor if they determine that the issue lies in the other application.

Con: Setup Requires a Salesforce Technical Expert

While some identity services can be setup by your IT Department, Identity Connect requires assistance from an individual with technical expertise on the Salesforce Platform. While the benefits certainly outweigh the disadvantages, be aware of this fact when deciding whether or not to go with Identity Connect as your identity provider. If you do not have a Salesforce technical expert in your firm, you will have to pay a consultant to aid in the initial implementation.

Given these considerations, Identity Connect is a valuable tool for organizations that wish to both reduce Salesforce user administration by leveraging the data in their Active Directory network and simplify the Salesforce login process. For organizations that only want to simplify the login process the utility of the product will not be leveraged, and it is better to go with a less robust solution that is simpler to setup.

To learn more about tools the Silverline team finds valuable, click here.

About the Author

Brock Elgart

Brock has been a Developer at Silverline since June of 2013. He manages development for the support team and is a subject matter expert on Identity Connect implementations, having been involved in all of Silverline’s Identity Connect implementations to date.

Leave a Reply

5 Comments on "The Pros and Cons of SSO with Salesforce Identity Connect"

Notify of
avatar
Sort by:   newest | oldest | most voted
Brad Elgart
Guest
Having deployed Identity Connect on our network, I can honestly say even some of the cons can be seen as pros. For example, using Active Directory (AD) to control certain fields in Salesforce forces Network Admins to keep things up to date in AD because people are paying attention to what is in Salesforce. Some data in AD can easily get stale especially companies in the SMB market. Network Admins have to wear many more hats than ones working for larger companies and making sure someone’s job title is up to date can easily drop in importance when things get… Read more »
Adam sellers
Guest

in response to the multiple orgs question, you authenticate with the single org and then using the SSO features in Salesforce, build an app launcher to authenticate to the other orgs as required.

Again, as the identity services are all on platform, you get fine grained access control with profiles and permission sets.

Arun
Guest

will this help to prevent a username from logging into multiple sessions at once ? plz advise

Brock
Guest

Hi Adam

Normally when you setup IdentityConnect with IWA you can navigate to a link and be logged into a specific salesforce instance in that window. Are you suggesting an end result where the user would be able to use the app launcher to jump to other Salesforce Orgs?

nelson
Guest
I realize this is an old thread but how did you get IWA to work with identity connect? Out internal domain is a domain.local. Initially I setup the Idc server as Idc.comain.com as we run split dns and wanted to use a 3rd party ca for the cert. But couldn’t get the Kerberos stuff to run. I blew that away and did it again withe Idc.domain.local (keeping a record defined in the .com zone) successfully created the Kerberos file uploaded it, did the cert but can’t IWA in. I tired adding the site to trusted sites didn’t work, removed added… Read more »
wpDiscuz
Need a custom solution? We can help. Let's Chat