The Salesforce connector uses the Federation attribute to store the user’s Salesforce federation identity. You can use one of the following as the attribute type for all users:
GUID: The federation identifier uses the adroitBISObjectID. Using a GUID is the default setting.
WorkforceID/employeeID: If you select this option, the identity source must supply the value for the appliance and Salesforce connector to use. All of the current identity sources support a workforceID attribute:
workforceID (eDirectory)
employeeID (Active Directory)
workforceid (JDBC)
If the user has a workforceID or employeeID in the identity source, the user’s account is provisioned in Salesforce.
If the user does not have a workforceID or employeeID in the identity source, the connectors_SFORCE_XXXXX.log file has a message that the provisioning activity for that user was vetoed. Add a workforceID/employeeID to the User object in the identity source. When the workforceID or employeeID is synchronized, the account is automatically provisioned.
When you configure the Salesforce connector, you can use the Advanced Settings > Federation attribute option to specify which attribute type to use. For more information, see Section 13.3, Configuring the Connector for Salesforce.
To change from using a GUID to using a workforceID/employeeID for the federation identity, or vice versa:
Log in with an appliance administrator account to the Admin page at
https://appliance_dns_name/appliance/index.html
On the Policy Mapping page, de-provision users from Salesforce by removing the current policy mapping so that the users are marked as inactive in Salesforce.
For information about policy mapping, see Mapping Authorizations
in the NetIQ CloudAccess and MobileAccess Installation and Configuration Guide.
On the Admin page, click the configured connector for Salesforce, then click Configure.
In the Salesforce connector configuration, click Advanced Settings, change the Federation identifier setting, then click OK and Apply to save and apply the change.
Redo the policy mapping to trigger re-provisioning of users to Salesforce. The federation identifier is modified to use the appropriate attribute.
(Conditional) If you changed the Federal identifier setting from GUID to workforceID/employeeID, verify that all users were provisioned.
Check the connectors_SFORCE_XXXXX.log file for messages about any user objects that were not provisioned because they did not have a workforceID/employeeID.
For each user who was not provisioned, add a workforceID/employeeID to the User object in the identity source.
When the workforceID/employeeID is synchronized, the account is automatically provisioned.
Repeat this process to ensure that all authorized users are provisioned.