Automated Provisioning refers to the ability to maintain users across applications using an automated process. By communicating with your Salesforce Org, LearnCore is able to perform automated, real-time provisioning by using a standardized protocol called SCIM.
SCIM (System for Cross-domain Identity Management), is a standardized protocol designed for automating the exchange of user identity information between domains. When configured through your Salesforce Org, user access and group membership information is propagated to LearnCore, which will reflect your updates within your LearnCore account.
The following provisioning features are supported:
- Create Users
- Update User Attributes
- First Name
- Last Name
- Remove Users
- Deactivate Users
- Create a Groups
- Manage Users within the Group
Before configuring automated provisioning with Salesforce, you must meet the following requirements:
- Salesforce Enterprise + Account
- Access to your organization’s SFDC main admin
- Installation of the LearnCore Package for Salesforce (details available in section 5.1 and 5.2.)
- A Salesforce user with API access and authorization to view User objects in Salesforce (details available in section 5.3 and 5.4)
- SCIM API token (provided by LearnCore)
Installation of the LearnCore Package for Salesforce
Please refer to the Installation Guide to complete this step. Package Installation is required to configure Automated Provisioning via SCIM in Salesforce.
Create a Named Credential
Once the app has been installed, you can begin with configuring for SCIM. To do so, you’ll first want to create a Named Credential.
1. In Salesforce, navigate to Setup.
2. In the left navigation, search for “Named Credentials.”
3. Click on Named Credentials.
4. Create a new Named Credential by clicking the “New Named Credential” button.
5. Provide the following information for the named credential:
- Label - This can be a label of your choosing. We recommend “LearnCore SCIM.”
- Name - This can be a name of your choosing. We recommend “LearnCore SCIM.”
- URL - https://admin.learncore.com/scim/v1/Users
- Certificate - Leave blank
- Identity Type - Named Principle
- Authentication Protocol - Password Authentication
- Username - This can be any username you choose.
- Password - This is the token that you received from your LearnCore strategist.
- Check the box for “Allow merge fields in HTTP header.”
All other boxes should be left unchecked.
6. Click save.
Create a Permission Set
As Salesforce does not allow permission sets from managed apps to be used for this, you must create a new permission set for any users that you wish to include in LearnCore.
1. In the left navigation search for “Permission Sets.
2. Select “Permission Sets” from the Manage Users section.
3. Click on “New.”
4. Create a Label for this permission set. We recommend “LearnCore Users.”
5. You may also add a description if necessary.
6. Select the “Identity” as the license that will use this permission set.
7. Click save.
Enable the LearnCore Connected App for Provisioning
Next, we will need to enable the LearnCore App to provision users in real time. Please note that we highly recommend using another service for bulk updates in LearnCore, such as Automated Provisioning for Salesforce or an upload.
1. In the left hand navigation, search for and select “Connected Apps.”
2. From the list of connected apps, click on “LearnCore SCIM.”
3. Click “Edit Policies” from the top of the page.
4. Check the box next to “Enable User Provisioning.”
5. Click Save.
6. Click “Launch User Provisioning Wizard.”
7. Select the option to use an existing flow and choose “LearnCore Users Flow.”
8. Select the Named Credential you created for LearnCore from the Named Credential option.
9. Click “Save & Next.”
10. Leave the check box blank for require approvals.
11. Click “Save & Next.”
12. Select all the available options to allow Salesforce to call the Flow.
13. Once you select update user, you will be asked to provide which action triggers the call. Select “LocaleSidkey” and click the arrow to move it under “Will Trigger Update.”
14. Click “Save & Next.”
15. Click Connect and Collect.
16. This will take you to a page where you will select how users are linked. Select Email for both of the drop downs to link based on their email address. You may also opt to select username for the Salesforce User attribute.
17. Click “Save & Next.”
18. Click “Analyze Collected Information.” This may take a few moments.
19. Click commit to commit the changes.
20. Once the changes are committed, click “Next.”
21. Click “Finish” to return to the Connected App Detail Page.
Adding Permission Sets
To set the users that will sync with LearnCore, you will need to add the Permission Set that you created to the app. You can do this directly from the Connected App Detail page in Step 21 above.
1. Click Manage Permission Sets.
2. Find the Permission Set that you created in section 5.2 and check the box in front of it.
3. Click save.
Adding and Updating Users
Now that the configuration is complete, users can be added and updated to LearnCore from Salesforce using the permission set that you created. There are 4 actions that will trigger an update in LearnCore; adding a new user to the permission set, updating the locale for the user, freezing a user, and deactivating a user.
Adding Users in Real Time
Adding an active Salesforce user to the permission set that you created above and assigned to the SCIM configuration will create the user in LearnCore in real-time. Any user added that has not been added to the permission set will not be added to LearnCore. In addition, as the user is created, they will be placed into a LearnCore group matching the language of their “locale” field in Salesforce. If a matched group does not exist in LearnCore, one will be created.
Please note that we do not advise using this method for user creation in bulk as it is taxing on the system. To bulk create users, we advise a manual sync with Salesforce Automated Provisioning (this is a nightly sync or can be run manually) or performing a .csv upload.
Updating the Locale of a User
Users who have been synced into LearnCore will be grouped by the Salesforce “locale” field. To update the group as the needed, change the locale field for the user in Salesforce and the group in LearnCore will be updated appropriately.
Please note that changing the user’s locale will trigger the update, but changing the language will not.
Freezing a User
If a you freeze a user within Salesforce, this will trigger the user in LearnCore to be deactivated. In LearnCore, the user will remain in the account, but will not be able to log in. Unfreezing a user in Salesforce will reactivate the user in LearnCore.
Deactivating a User
If a user is deactivated within Salesforce or removed from the configured permission set, they will be removed from the corresponding account within LearnCore.
Reporting on the Sync
The Salesforce Identity User Provisioning Utils provides 3 reports that may be helpful for monitoring and debugging the real-time sync.
To access these reports:
1. Navigate to the Reports tab in Salesforce.
2. Select the User Provisioning Reports folder
3. Here you will see three report types:
- User Provisioning Requests - Displays each request, the timestamp it was made, and state of the request.
- User Provisioning Accounts - Displays each user that is linked between Salesforce and LearnCore and the status of that connection.
- User Provisioning Logs - Displays the log of each provisioning request and details of the transaction.