Salesforce中的Azure AD用户自动配置 [英] Azure AD User auto provision in Salesforce
问题描述
我在Salesforce中设置了一个Salesforce配置文件和一个权限.根据要求,我们的Salesforce应用程序中有两个用户角色.
I have one Salesforce profile and one permission set in Salesforce. As per the requirement, there are two user personas in our Salesforce application.
Persona 1->SF简介角色2->SF配置文件+权限集
Persona 1 -> SF Profile Persona 2 -> SF Profile + Permission Set
为使用Azure AD自动配置实现上述配置,我们创建了两个安全组并将相关的业务用户添加到这两个组中.当前,我们正在努力确定关于如何将Salesforce权限集分配给"Persona 2"用户中的用户的最佳方法.用户组.
To achieve the above configuration using Azure AD auto-provision, we have created two security groups and added relevant business users into those two groups. Currently, we struggling to determine the best approach on how to assign the Salesforce permission sets to the users in the "Persona 2" user group.
推荐答案
您已经在SF中配置了单点登录,对吗?在页面底部,有一个即时(JIT)登录处理程序类的地方.
You already have Single Sign-On configured in SF, right? At the bottom of the page there's place for just-in-time (JIT) login handler class.
You'd have to write that class but there are some online examples for ... implements Auth.SamlJitHandler. Once you have the class skeleton ready - use System.debug(JSON.serializePretty(attributes)); or something similar to see what Azure Active Directory sends. Last time I used this AAD couldn't send groups info but it could send role(s). So we determined unique sets of users and if role is X - check if the user has permission set X assigned and if not - assign it. We then expanded it to other SF features (groups, queues, user role, profile...). PermissionSetAssignment is the table you need.
如果您不想为此编写代码,则总是身份连接,但这是付费和本地代理程序(我认为).不知道它是否可以与AAD一起使用.但是您将获得用于映射的简单界面.
If you don't want to write code for this there's always Identity Connect but that's paid and on-premise agent program (I think). No idea if it can work with AAD. But you'll get simple interface for the mapping.
这篇关于Salesforce中的Azure AD用户自动配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
