SCIMv1 Salesforce Connector

Last modified 05 Aug 2022 11:26 +02:00

Identity connector for Salesforce platform using SCIM 1.1 API.

Development statusdormant (not developed actively, but still somehow maintained)
Support statussupportable
Support provided byEvolveum
Target systemsSalesforce platform (using SCIMv1 API)
ProtocolSCIM 1.1
Source code

The SCIMv1 connector extension for the Salesforce service. As stated in the SCIMv1 connector documentation page, this extension implements the 1.1 version of the System for Cross-domain Identity Management (SCIM) standard. The generic connector is extended by workaround modifications for the correct functioning and use with midPoint and to correct some provider API flaws.

Capabilities and Features



Live Synchronization


Service does not comply to the scim polling protocol specification.



The setting of an password causes that the service will use it (the newly set password) as a means for manually resetting a password by the user.



Activation via the active attribute.

Paging support


Native attribute names





This is an extension of the scimV1 connector for the Salesforce service.

Version Origin Binary Sources Build Date ConnId*Framework* Description


download jar


October 2016

Official release



download jar


December 2016

Official release



download jar


March 2017


Official release


The connector itself is available under the terms of Apache License 2.0. To our best knowledge there is no extra license needed to use this connector. (Additional licensing terms and conditions may apply with services on which the connector is used).

Known limitations

The interaction with the API of the service uncovered some facts which we perceive as issues and minor flaws of the interconnected system which our connector has to remedy with workarounds. Yet there are some limitations which emerge.The known limitations which can be apparent are as follows:

  • Some of the mandatory attributes needed for resource creation have the readOnly property set to true. This prohibits to set the value for this attributes and overall it prevents resource creation. We had to modify the schema which we got from the service provider to set this property to false.

  • Endswith filter not supported.

  • Contains all values not supported. For internal functionality this filter is translated to a single value contains filter.

  • Only partial support of the scim enterprise extension by our connector (urn:scim:schemas:extension:enterprise:1.0), not supported sub attributes:

    • "manager"

    • "delegatedApprover"

  • While testing the connector we experieced a quite slow response rate while sending request to the resource. The speed was multiple times slower as by communicating with other scim v1 compliant test resource.


A specific value has to be set to the authentication configuration property depending of the method used for authentication. This service uses a password to authenticate while communicating with the connector. Because of that the value of this property should be set to password. Our connector uses the Salesforce SCIM API for communication with the Salesforce scim service. Some basic information and documentation to the Salesforce SCIM API can be found following this link. To start using the connector some steps have to be taken to set up the connector on the side of the service. To set up the connector do the following:

  1. On the "Setup page" of your Salesforce account open the "Create" tab located on the main horizontal menu in the part labeled as "Build". From the dropdown menu select the "Apps" tab

  2. On the newly opened page look for the label "Connected Apps" and click the "new" button

  3. Fill in the mandatory fields and check the "Enable OAuth Settings"

  4. The new mandatory parts:

    1. "Callback URL" a dummy value can be set to this field (e.g. https://localhost:8443/callback)

    2. "Available OAuth Scopes" recommended to add the "Full access" scope

  5. After registering a connected app the app profile screen will appear. On this screen you can find the client id (Consumer Key) and the client secret (Consumer Secret)


To get the security token:

  1. The security token should be issued after account creation and every password reset and sent to your email address. If you want to reset your security token follow the following steps

  2. In the personal settings tab My Settings open the Personal tab in the main horizontal menu

  3. Open the Reset my security token tab and click the Reset security token button. This should send you a new security token to your email adress

Mandatory property fields:

  • Scim endpoint

  • Scim version

  • Username

  • Password

  • Login url

  • Grant type

  • Client ID

  • Clientsecret

Sample configuration values:

  • Authentication: password

  • Scim endpoint: /services/scim

  • Scim version: /v1

  • Username:

  • Password: (password+security token )

  • Login url:

  • Grant type: /services/oauth2/token?grant_type=password

  • Client ID: (generated cliend id)

  • Clientsecret: (generated client secret)

Setting up tests

The test suite consists of a bundle of test methods some of which execute a couple of times depending on the amount of tested resource endpoints. The test parameters are provided by data providers which fetch their data from a test configuration property file. These property files are provided within the connector source bundle in the scimV1 git repository in the testProperties folder.

Before the test suite is initialized one has to provide a couple of mandatory values into the property file.

The property file consists of a couple of attribute name/value pairs which are mapped to the corresponding test method or utility method. The naming rule is that the word before the underscore character (_) corresponds to the name of the test method provider which will be populated by the provided values. The word after the underscore character is the property name or in some cases it describes a resource on which a test will be executed or a type of test.Most likely and often changed are the attributes of the test method provider configTestProvider the first three attributes configure some basic properties used in the tests:

  • testNumber: The number which defines the order of the following test. The number is used as an ID value which is injected in some unique parameter values (e.g. userName). This is because some services do not delete their resource data (e.g. Account data) but they flag it as inactive or deactivated. The unique parameter value is then still used and can be in some cases referenced. This prohibits the usage of an equivalent value.

  • pageSize: This parameter describes the size of the returned list of resource representations.

  • pageOffset: Defines the offset used in listing resources. (e.g. I want to list 100 people but i want the list to start from the 15th entry).

The other attributes of the configTestProvider are equivalent to the configuration attributes needed to log into the service and can be seen described above in the Configuration section.

The change of other test method provider attributes is not recommended and may result in unsuccessful tests. The tests create one representation of each resource (e.g. user, group) and then they execute all basic methods which are defined in the scim specification.

The tests also incorporate negative testing use cases for proper exception reporting. One of the test cases is intentionally commented out. To trip the InvalidCredentialException the test method makes an intentional error in the login credentials while executing an operation. For reasons of unintentional lock out of the service with the run of this test, the test is optional and you can uncomment it when you are sure no harm will be done.