User Provisioning for Connected Apps (Generally Available)
Connected Apps can be
created in: Enterprise, Performance, Unlimited, and
Developer Editions Connected Apps can be installed in: All Editions |
User Permissions Needed | |
---|---|
To read: | “Customize Application” |
To create, update, or delete: | “Customize Application” AND either “Modify All Data” OR “Manage Connected Apps” |
To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: | “Customize Application” |
To update Profiles, Permission Sets, and Service Provider SAML Attributes: | “Customize Application” AND “Modify All Data” |
To uninstall: | “Download AppExchange Packages” |

User provisioning for connected apps captures user events (such as creating a user, assigning a permission set or profile, or changing user information) in a Salesforce organization and applies updates to the corresponding account on a third-party service.
For example, you can configure user provisioning for a Google Apps connected app in your organization. Then assign the profile “Employees” to that connected app. When a new user is created in your organization and assigned the “Employees” profile, the user is automatically provisioned in Google Apps. Additionally, when the user is deactivated, or the profile assignment changes, the user is automatically de-provisioned from Google Apps. You can also configure an approval process to request a manager’s approval before a provisioning or de-provisioning action.
Add Salesforce Identity Connect to capture events in an Active Directory installation and apply user provisioning updates to an external application. Identity Connect is an on-premise add-on that provides Active Directory integration with Salesforce. It synchronizes Active Directory with your Salesforce user accounts. User provisioning for connected apps can capture Active Directory changes through Identity Connect to provision or de-provision users on a third-party system or application.
User Provisioning for Connected Apps Benefits
- A wizard for quick configuration
- Run the User Provisioning Wizard to configure user provisioning.
- Support for approval processes
- Include an approval process to give management control over new user accounts and user account changes.
- Stronger security
- Automatically disable user accounts in third-party applications when a user leaves the company.
- Auditing and compliance
- Discover and manage the apps your users use. You can get a centralized view of all the accounts a user has across all connected apps. Run reports and set up alerts.
- IT efficiency
- Reduce maintenance time on user accounts and save time provisioning users for applications.
- Customization
- Apex and Visual Workflow support for full customization.
User Provisioning for Connected Apps Requirements
- A connected app for the third-party service
- Any connected app can support user provisioning, including a “bookmark” connected app.
- Named credentials
- Named credentials identify the third-party system and its authentication settings. Calls to the third-party system, such as creating, editing, or deleting accounts, use the third-party authentication settings in the named credential. For the named credential, you specify a Named Principal, which can be an account on the third-party system or an OAuth authorization for an existing Auth. Provider in your organization. The User Provisioning Wizard asks for this named credential.
- A flow created with the Flow Designer
- Flows manage provisioning requests to the third-party system. Salesforce provides a connectors package on the AppExchange containing pre-configured flows to simplify your user provisioning setup process. You associate one of these flows with the connected app using the User Provisioning Wizard.
For more information, see User Provisioning for Connected Apps in the online help.