Skip To Content
Back to Blog

The Pros and Cons of SSO with Salesforce Identity Connect

By Brock Elgart 04.29.15
Reading time: 3 minutes

What is Salesforce Identity Connect?

Salesforce Identity Connect is an Identity Provider that allows businesses to connect their Active Directory network with Salesforce. Once installed, Salesforce users and Active Directory users can be synchronized, and steps can be taken to simplify or eliminate the Salesforce login process without compromising security.

Pro: User Administration in Salesforce Reduced or Eliminated

Once Identity Connect is setup you can create a user in Active Directory and assign it to the appropriate user groups. Once this happens a matching user is created with the correct user information, profile, and permission set assignments without any additional effort on the part of the Salesforce Administrator. If desired, user fields can still be controlled in Salesforce and changes to profile and permission set assignments can be reflected in user group assignments back in Active Directory. This allows user administration in Salesforce to be reduced or eliminated.

Con: Required Fields Must Be Administered Through Active Directory

Any user fields that are required in Salesforce must be administered in Active Directory. These fields have to be mapped from the Active Directory user to the Salesforce user so that users can be created automatically in Salesforce when they are created in Active Directory. As a result, if the value of a required user field (or any field that is mapped from Active Directory to Salesforce) is updated in Salesforce, it will be rolled back to whatever the value is in Active Directory. This can be a pain point for fields such as username and email if, for whatever reason, a user’s username in salesforce needs to be different from their email. Normally the Active Directory ‘mail’ field can be mapped to both. On the other hand, if any user needs to have a different email and username, a new user field needs to be created in Active Directory.

Pro: Salesforce Login Page Eliminated Without Compromising Security

Identity Connect can be setup with Integrated Windows Authentication (IWA) to allow users to be automatically logged into Salesforce when they are logged in to Active Directory. This is done by configuring the user’s browser to navigate to a login link on startup. If their Active Directory user is synced to a user in Salesforce, they will be redirected to Salesforce. This can be immensely powerful in driving user adoption if your organization is new to the Salesforce platform, or if your employees simply do not use it as much as you would like. Security is not compromised because the user must be logged into Active Directory for the login link to work.

Con: Only One Salesforce Org Can Be Configured for Automatic Login

While you can setup Identity Connect to connect multiple Salesforce instances to your Active Directory network, only one login link is provided. This means that once IWA is setup and the login link is configured to open when the user starts their web browser, the user will have to select which Salesforce instance to be logged into. If your intention is to drive user adoption across multiple Salesforce instances, this will reduce the effectiveness of Identity Connect.

Pro: Identity Provider and CRM Are on the Same Platform

Identity Connect is owned by Salesforce, which means support for Identity Connect is run through the same Salesforce Support service as the CRM application. This means that the Identity Connect support team is more invested in your success than another Identity Provider because your experience with Identity Connect influences your overall satisfaction with Salesforce. This is also an advantage when dealing with an issue that could be potentially be attributed to the CRM application or the Identity service. You will never need to guess which vendor to log a case with, or have to log a new case with another vendor if they determine that the issue lies in the other application.

Con: Setup Requires a Salesforce Technical Expert

While some identity services can be setup by your IT Department, Identity Connect requires assistance from an individual with technical expertise on the Salesforce Platform. While the benefits certainly outweigh the disadvantages, be aware of this fact when deciding whether or not to go with Identity Connect as your identity provider. If you do not have a Salesforce technical expert in your firm, you will have to pay a consultant to aid in the initial implementation.

Given these considerations, Identity Connect is a valuable tool for organizations that wish to both reduce Salesforce user administration by leveraging the data in their Active Directory network and simplify the Salesforce login process. For organizations that only want to simplify the login process the utility of the product will not be leveraged, and it is better to go with a less robust solution that is simpler to setup.

Learn more about our Salesforce security services.

About the Author

Brock has been a Developer at Silverline since June of 2013. He manages development for the support team and is a subject matter expert on Identity Connect implementations, having been involved in all of Silverline’s Identity Connect implementations to date.

Ready to see real results? We can help.

Get in Touch

We don't support Internet Explorer

Please use Chrome, Safari, Firefox, or Edge to view this site.