Identity Connect Retirement

Salesforce is retiring Identity Connect and will continue to honor your existing Identity Connect subscription and provide support until your subscription ends. Moving forward, Identity Connect will only receive security updates.

Salesforce isn’t building a replacement for Identity Connect. As a result, Salesforce recommends that you begin exploring potential solutions as soon as possible to minimize disruption to your users and business.

Why is Salesforce retiring Identity Connect?

Salesforce determined that a purpose-built tool like Identity Connect is no longer needed. When Identity Connect was introduced, many of Salesforce’s customers had on-premises Active Directory systems, the concept of the cloud was still new, and the cloud user provisioning space had few solutions. 

Today, the vast majority of Salesforce’s customers have fully adopted the cloud, the number of customers with on-premises Active Directory is significantly lower, and several companies offer high-quality user provisioning solutions. 

How does this change apply to me? 

If your organization uses Identity Connect, you’re using it for user provisioning between Active Directory and Salesforce and potentially for single sign-on (SSO) between Active Directory and Salesforce. In either case, Salesforce recommends that you begin planning to migrate off Identity Connect before your existing subscription ends. Failure to do so can result in users not being able to access Salesforce or compliance and de-provisioning issues within your org. 

What action can I take? 

Review which of your orgs currently use Identity Connect and what servers have Identity Connect installed. Then identify what service Identity Connect provides your org, either user provisioning or user provisioning and SSO. 

Next, determine if your organization has a tool that can perform the same job as Identity Connect. For example, if you’re moving from an on-premises Active Directory solution to Microsoft's Azure AD you can potentially use the existing Microsoft Azure AD Connector for Salesforce. Microsoft built a connector that delivers much of what Identity Connect delivers. 

If your company isn’t transitioning to Azure AD, determine how your organization currently performs user provisioning for other systems within your IT landscape. Many customers who use Identity Connect report that they already have a general-purpose user provisioning product that they use with other applications. If you have another product in use, check to see if it has a Salesforce Connector.

If these options aren’t viable, look at user provisioning and SSO tools in the marketplace. Salesforce doesn’t recommend or provide endorsements. However, companies like Sailpoint, Okta, and ForgeRock all have products that can connect on-premises Active Directory solutions with Salesforce. Additionally, Salesforce offers SCIM APIs. 

After a new provisioning tool is selected, users are migrated, and Identity Connect is replaced, customers must remove and discharge Identity Connect from any installed server and delete any downloaded binaries. Salesforce recommends removing the Identity Connect Managed Package from your orgs. 

What happens if I don’t take action?

After your Identity Connect subscription order ends:

1. New users added to the active directory aren’t provisioned to Salesforce. 
2. Existing users in Salesforce stop receiving updates from the Active Directory. 
3. If a user is removed/deactivated/frozen in the Active Directory, that user is updated in Salesforce and isn’t active. 
4. If you’re using Identity Connect to provide SSO between Active Directory and Salesforce, this connection stops working. 

These outcomes can result in business interruption, and in the case of 2 and 3 above, possible security concerns. As a result, Salesforce recommends that you begin to evaluate your migration path and plan your transition from Identity Connect as soon as possible. If you have questions regarding alternatives, contact your Account Executive about your Identity Connect subscription.

How do I identify affected users? 

Users assigned the Identity Connect user permission set are affected by this retirement.

If you have more questions, refer to Salesforce Help. To view all current and past retirements, see Salesforce Product & Feature Retirements.

To read about the Salesforce approach to retirements, read our Product & Feature Retirement Philosophy.