Written by malessandroni
This guide is a sequel of Syncope Basics: Manage SCIM v1.1 and explains how to configure the SCIM v1.1 ConnId Bundle to work with Salesforce.
The connector is already configured to work with services that requires Auth 2.0 Bearer Token Authentication using Client ID and Secret.
I'll just show how to create a Salesforce trial account and how to configure the Connector for it.
Just go to
and choose "Sign up" in right corner.
Fill required fields and, after email activation, you should have your account ready to use.
Now, to see the list of existing Users, go to "Setup" view by clicking on the
gear icon on the right top (url should be something like
Then, just type "user" in the left search bar and click on "Users".
Still from Salesforce "Setup" view, search and select "App Manager". Then
click "New Connected App".
Fill the required fields and make sure to check "Enable OAuth Settings". Then, flag "Enable for Device Flow" and "Require Secret for Web Server Flow" too.
Here is a sample configuration:
After saving those settings, you'll find:
You also need a Security Token to append to you account
password in order to have a password token to connect to service.
Go to "Settings" (on the right corner) and search for "Reset My Security Token" in search bar. Click on it and select "Reset Security Token".
A new token will be sent to your email.
Now, in Syncope, you should already have the "SCIMv11Conn" connector instance, so just click on it and select "Edit connector".
From SCIMv1.1 ConnId Bundle v1.0.0, Auth 2.0 Bearer Token Authentication is
So, make sure the connector version is >= v1.0.0:
Now, click "Next" and configure connector with Salesforce parameters.
It is enough to fill the following fields:
As described in previous post, in "Configuration test" section, you can click
on the "SCIMv11Res" node from "Topology" and choose "Explore resource" from
You'll see some of the existing Users on Salesforce.
When creating a new User on Salesforce, it must be linked to a Profile ID (an "Entitlement"). So, first of all you can obtain a list of all Entitlements by using the REST Workbench and executing /services/scim/v1/Entitlements/
so that you'll find all available Entitlement IDs.
Then, you can use the "entitlements.default.value" External attribute, add it to "Provision rules" and flag it as mandatory.
This way, for any new provisioned user you'll be able to send the Entitlement ID too.
So the "userName" External attribute must be mapped to a Syncope Schema where
you'll store the User username in email format.
E.g. username (with email format) -> userName or email -> userName
In your resource "Provision rules" add the "emails.work.value" External
Salesforce accounts have the "email" field that is identified by "emails.work.value" via SCIM API.
You'd better flag it as mandatory.
In your resource "Provision rules" add "name.familyName" External attribute and you'd better flag it as mandatory.
Here is an example of a full mapping configuration: