Salesforce

Known issues and limitations

The following are known issues or limitations with the Salesforce Connector.

Known issues

  • In PingFederate 9.3 and earlier, PingFederate provisions users as groups, creating unwanted groups. PingFederate also tries to provision groups as users, resulting in error log messages. This only impacts configurations where both group provisioning is enabled and the datastore is Oracle Directory or PingDirectory.

Known limitations

  • Attributes

    • The provisioning connector can’t clear user attributes once they’ve been set.

  • Certificates

    • Adding a new certificate to PingFederate’s trusted CA store for use in a secure LDAP or LDAPS connection requires a server restart when a secure LDAP connection has already been attempted or established.

  • Deprovisioning

    • When deprovisioning a Salesforce customer or partner user, the provisioning connector doesn’t unlink the user from the associated contact.

    • If a customer or partner user is unlinked in Salesforce from the associated contact, any changes to the user in the datastore causes the provisioning connector to create a new user in Salesforce and links it to the existing contact.

    • Guest users in Salesforce can’t be frozen. If Freeze users instead of disable is selected in your provisioning options, the guest user won’t be disabled or frozen.

    • After deleting an LDAP user account, the provisioner doesn’t remove the user in the next provisioning cycle when Group DN is specified until a new user is added to the targeted group. This limitation is compounded when the User Create provisioning option is disabled. You can find more details in SaaS provisioner does not remove the user when Group DN is specified in the Ping Identity Knowledge Base.

  • Groups

    • Group synchronization is based on group name. If multiple groups have the same name, the provisioner syncs to the group that is returned first.

  • Performance

    • The Salesforce Provisioner dynamically retrieves data from your Salesforce instance. Depending on your Salesforce environment, this could cause a delay when you create an SP connection to Salesforce.

    • If multiple PingFederate administrators are creating connections to Salesforce at the same time, the attribute mapping page might not show attributes from Salesforce correctly.

  • Refresh tokens

    • Refresh token policy must be set to Refresh token is valid until revoked for OAuth as expiring refresh tokens are not supported.

  • Salesforce Communities

    • The provisioner can link users to "customer" and "partner" business accounts, but not to "person" accounts. Learn more about Accounts in the Salesforce documentation.