User Provisioning for Connected Apps
You can use a connected app to link your users with a third-party app. User provisioning for a connected app simplifies account creation and links your Salesforce users’ accounts to their third-party accounts. After the accounts are linked, you can configure the App Launcher to display the connected app as a tile. With a single click, users get instant access to the third-party app.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions Connected Apps can be installed in: All Editions |
See New connected apps can no longer be created in Spring ‘26 for more details.
Here’s a user provisioning scenario. You configure user provisioning for a G Suite connected app in your org. Then you assign the Employees profile to that connected app. When you create a user in your org and assign the user to the Employees profile, the user is provisioned in G Suite. When the user is deactivated, or the profile assignment changes, the user is deprovisioned from G Suite.
User provisioning applies only to users with a profile or permission set that grants them access to the connected app.
Salesforce provides a wizard to guide you through the user provisioning settings for each connected app. You can also run reports to see who has access to specific third-party apps. These reports give you a centralized view of all user accounts across all connected apps.
User Provisioning Requests
After you configure user provisioning, Salesforce manages requests for updates on the third-party system. Salesforce sends user provisioning requests to the third-party system based on specific events in your org, either through the UI or API calls. This table shows the events that trigger user provisioning requests and their associated operations.
| Event | Operation | Object |
|---|---|---|
| Create user | Create | User |
| Update user (for selected attributes) | Update | User |
| Disable user | Deactivate | User |
| Enable user | Activate | User |
| Freeze user | Freeze | UserLogin |
| Unfreeze user | Unfreeze | UserLogin |
| Reactivate user | Reactivate | User |
| Change user profile | Create or Deactivate | User |
| Assign or unassign a permission set to a user | Create or Deactivate | PermissionSetAssignment |
| Assign or unassign a profile to the connected app | Create or Deactivate | SetupEntityAccess |
| Assign or unassign a permission set to the connected app | Create or Deactivate | SetupEntityAccess |
The operation value is stored in the UserProvisioningRequest object. Salesforce can either
process the request immediately or wait for an approval process to complete (if you requested
approvals when running the wizard). To process the request, Salesforce uses a flow of the type
User Provisioning, which includes a reference to the Apex UserProvisioningPlugin class. The flow calls the third-party
service’s API to manage user account provisioning on that system.
To send user provisioning requests based on events in Active Directory (AD), use Salesforce Identity Connect to capture AD events, and synchronize them into Salesforce. Then, Salesforce sends the user provisioning requests to the third-party system to provision or deprovision users.
Considerations
- Entitlements
- Roles and permissions for the service provider can’t be managed or stored in the Salesforce org. So specific entitlements to resources at the service provider aren’t included when a user requests access to a third-party app that has user provisioning enabled. With user provisioning, you can create a user account for a service provider. However, the service provider must manage any additional roles or permissions for the user.
- Scheduled account reconciliation
- Run the User Provisioning wizard each time you want to collect and analyze users in the third-party system. You can’t configure an interval for an automatic collection and analysis.
- Access recertification
- After an account is created for the user, validation of the user’s access to resources at the service provider must be performed at the service provider.
- Configure User Provisioning for Connected Apps
Configure a connected app to save time when provisioning users for third-party apps. Salesforce provides a wizard that guides you through the user provisioning settings for each connected app. - Manage User Provisioning Requests
After you configure user provisioning for a connected app with the User Provisioning wizard, you can manage individual provisioning requests from the User Provisioning Requests tab and from the connected app’s detail page. If you included an approval process, you can set up user provisioning request sharing rules. - Create User Provisioning for Connected Apps Custom Reports
Salesforce orgs with user provisioning for connected apps can run reports that show provisioning accounts, requests, and other information using custom report types.
