User Provisioning for Connected Apps (Generally Available)

Automatically create, update, and delete user accounts on services, such as Google and Box, based on changes to user accounts in your Salesforce organization or Active Directory service. This feature dramatically reduces the time required to on-board new users, update user accounts, or deactivate accounts. It also provides a centralized view of all user accounts across applications and services.
Connected Apps can be created in: Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

User Permissions Needed
To read: “Customize Application”
To create, update, or delete: “Customize Application” AND either

“Modify All Data” OR “Manage Connected Apps

To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: “Customize Application”
To update Profiles, Permission Sets, and Service Provider SAML Attributes: “Customize Application” AND “Modify All Data”
To uninstall: “Download AppExchange Packages”
user provisioning diagram

User provisioning for connected apps captures user events (such as creating a user, assigning a permission set or profile, or changing user information) in a Salesforce organization and applies updates to the corresponding account on a third-party service.

For example, you can configure user provisioning for a Google Apps connected app in your organization. Then assign the profile “Employees” to that connected app. When a new user is created in your organization and assigned the “Employees” profile, the user is automatically provisioned in Google Apps. Additionally, when the user is deactivated, or the profile assignment changes, the user is automatically de-provisioned from Google Apps. You can also configure an approval process to request a manager’s approval before a provisioning or de-provisioning action.

Add Salesforce Identity Connect to capture events in an Active Directory installation and apply user provisioning updates to an external application. Identity Connect is an on-premise add-on that provides Active Directory integration with Salesforce. It synchronizes Active Directory with your Salesforce user accounts. User provisioning for connected apps can capture Active Directory changes through Identity Connect to provision or de-provision users on a third-party system or application.

User Provisioning for Connected Apps Benefits

A wizard for quick configuration
Run the User Provisioning Wizard to configure user provisioning.
Support for approval processes
Include an approval process to give management control over new user accounts and user account changes.
Stronger security
Automatically disable user accounts in third-party applications when a user leaves the company.
Auditing and compliance
Discover and manage the apps your users use. You can get a centralized view of all the accounts a user has across all connected apps. Run reports and set up alerts.
IT efficiency
Reduce maintenance time on user accounts and save time provisioning users for applications.
Apex and Visual Workflow support for full customization.

User Provisioning for Connected Apps Requirements

A connected app for the third-party service
Any connected app can support user provisioning, including a “bookmark” connected app.
Named credentials
Named credentials identify the third-party system and its authentication settings. Calls to the third-party system, such as creating, editing, or deleting accounts, use the third-party authentication settings in the named credential. For the named credential, you specify a Named Principal, which can be an account on the third-party system or an OAuth authorization for an existing Auth. Provider in your organization. The User Provisioning Wizard asks for this named credential.
A flow created with the Flow Designer
Flows manage provisioning requests to the third-party system. Salesforce provides a connectors package on the AppExchange containing pre-configured flows to simplify your user provisioning setup process. You associate one of these flows with the connected app using the User Provisioning Wizard.

For more information, see User Provisioning for Connected Apps in the online help.