Scritto da
  • email
  • twitter
  • linkedin
  • linkedin

How to configure Apache Syncope to provision Users to Salesforce using the SCIM v1.1 ConnId Bundle

This guide is a sequel of Syncope Basics: Manage SCIM v1.1 and explains how to configure the SCIM v1.1 ConnId Bundle to work with Salesforce.

The connector is already configured to work with services that requires Auth 2.0 Bearer Token Authentication using Client ID and Secret.

I'll just show how to create a Salesforce trial account and how to configure the Connector for it.

Create a Salesforce account and get the list of existing users

Just go to https://developer.salesforce.com and choose "Sign up" in right corner.
Fill required fields and, after email activation, you should have your account ready to use.

Now, to see the list of existing Users, go to "Setup" view by clicking on the gear icon on the right top (url should be something like https://eu12.lightning.force.com/one/one.app#/setup/SetupOneHome/home
Then, just type "user" in the left search bar and click on "Users".

Obtain required Client Id and Secret values

Still from Salesforce "Setup" view, search and select "App Manager". Then click "New Connected App".
Fill the required fields and make sure to check "Enable OAuth Settings". Then, flag "Enable for Device Flow" and "Require Secret for Web Server Flow" too.
Here is a sample configuration:

After saving those settings, you'll find:

  • Consumer Key -> Client Id
  • Consumer Secret -> Client Secret

You also need a Security Token to append to you account password in order to have a password token to connect to service.
Go to "Settings" (on the right corner) and search for "Reset My Security Token" in search bar. Click on it and select "Reset Security Token".
A new token will be sent to your email.

Now, in Syncope, you should already have the "SCIMv11Conn" connector instance, so just click on it and select "Edit connector".

From SCIMv1.1 ConnId Bundle v1.0.0, Auth 2.0 Bearer Token Authentication is supported.
So, make sure the connector version is >= v1.0.0:

Now, click "Next" and configure connector with Salesforce parameters.
It is enough to fill the following fields:

  • baseAddress: https://[YOUR_SUBDOMAIN].salesforce.com/services/scim/v1/
  • accessTokenBaseAddress: https://login.salesforce.com/services/oauth2/token?grant_type=password
  • username: your Salesforce username
  • password: [YOUR_ACCOUNT_PASSWORD] + [SECURITY_TOKEN]
  • clientId: value taken from "Manage Connected Apps" view, as described above
  • clientSecret: value taken from "Manage Connected Apps" view, as described above
  • accessTokenNodeId: default value access_token will be fine
  • accessTokenContentType: default value application/x-www-form-urlencoded will be fine
  • accept: default value application/json will be fine
  • contentType: default value application/json will be fine
  • updateMethod: default value PATCH will be fine

Configuration test

As described in previous post, in "Configuration test" section, you can click on the "SCIMv11Res" node from "Topology" and choose "Explore resource" from menu.
You'll see some of the existing Users on Salesforce.

Some Salesforce requirements and restrictions

Profile ID is mandatory

When creating a new User on Salesforce, it must be linked to a Profile ID (an "Entitlement"). So, first of all you can obtain a list of all Entitlements by using the REST Workbench and executing /services/scim/v1/Entitlements/

so that you'll find all available Entitlement IDs.
Then, you can use the "entitlements.default.value" External attribute, add it to "Provision rules" and flag it as mandatory.
This way, for any new provisioned user you'll be able to send the Entitlement ID too.

Username values must be in email format

So the "userName" External attribute must be mapped to a Syncope Schema where you'll store the User username in email format.
E.g. username (with email format) -> userName or email -> userName

An "email" field is required

In your resource "Provision rules" add the "emails.work.value" External attribute.
Salesforce accounts have the "email" field that is identified by "emails.work.value" via SCIM API.
You'd better flag it as mandatory.

"Family name" is required

In your resource "Provision rules" add "name.familyName" External attribute and you'd better flag it as mandatory.

Here is an example of a full mapping configuration:

0 VOTINot rated yetNot rated yet
Ti è stato utile questo articolo?
Dal Blog di Tirasa
Quello che facciamo, studiamo e pensiamo tutti i giorni lo condividiamo qui.
Vai al blog >