Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Manage Salesforce User Identities with SCIM Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Manage Salesforce User Identities with SCIM Control

            Managing Salesforce user identities with SCIM (System for Cross-domain Identity Management) helps to automate the entire user lifecycle.

            Control Name

            Manage Salesforce User Identities with SCIM

            Recommended Configuration

            Provision and manage Salesforce user identities across systems with the open standard System for Cross-Domain Identity Management (SCIM). Edit and manage Salesforce user properties using REST API operations.

            Control Overview

            Managing Salesforce user identities with SCIM (System for Cross-domain Identity Management) helps to automate the entire user lifecycle—creation, updates, and deactivation—directly from a centralized Identity Provider (IdP). This ensures that user access is synchronized in real-time with the company’s source of truth, effectively eliminating the risk of orphaned accounts by instantly revoking Salesforce access the moment a user is disabled in the central directory.

            Security Risk If Not Configured

            Incorrectly configured SCIM setup, increases the risk of incorrect user provisioning and deprovisioning, leading to persistent access to sensitive CRM data. This mismatch between the identity provider and Salesforce creates high-risk orphaned accounts that can be easily exploited for unauthorized data exfiltration or used by former employees to access proprietary information undetected.

            Threat Scenarios

            Improperly configured SCIM, allowing orphaned Salesforce accounts to remain active and accessible. Threat actor then logs in from a personal device to export entire customer lists and proprietary sales data before the IT team can manually deactivate the "orphaned" account.

            Estimated CVSS Score Range

            High (7.0–8.90).

            Risk Impact Considerations

            Risk severity depends on the user population size, access privileges granted upon login.

            Higher Risk When

            User identity verification is not in place (MFA or others) Session is not configured with session controls to limit session, which include:

            • Ineffective Session Timeout Policy
            • Overly Permissive Access Scope

            Low or No Risk When

            This control can be considered low risk when one or more of the following are implemented:

            • MFA Enforcement or identity verification is in place: MFA is enforced for Salesforce users
            • IP Login Restriction at the network layer: IP Login restriction for users with privileges to modify the setup
            • SSO Enforcement: All profiles are configured with SAML SSO

            Business and Integration Considerations

            Customers should evaluate entry points of their users endpoints and what data each user profile is exposed to.

            Recommended Remediation

            Set up login IP ranges for each profiles in the org.

            Security Health Review Guidance

            Security Health Review identifies the platform configuration related to IP ranges. Setup of IP ranges can be configured via the network setup or the org (Trusted IP ranges) or via the profile level (Login IP ranges).

            See Also

             
            Loading
            Salesforce Help | Article