Salesforce Identity

Salesforce Identity is an identity layer built into Salesforce for workforce, partner, and customer access. It provides federation (SAML, OIDC), multi-factor authentication (MFA), and lifecycle automation through SCIM 2.0. Admins can configure Salesforce to act as either an Identity Provider (IdP) issuing tokens/assertions or as a Service Provider (SP)/Relying Party (RP) trusting external IdPs.

Key Capabilities

• SCIM 2.0 provisioning (into Salesforce): Native SCIM REST endpoints and schemas allow upstream IdPs (like Microsoft Entra ID) to provision, update, or deactivate Salesforce users automatically.

• MFA & passkeys: Built-in MFA supports WebAuthn/FIDO2 security keys, app-based verification, and U2F (where applicable). Salesforce provides granular MFA policy controls.

• Identity for customers & partners: Documentation covers external identity scenarios, including self-registration, federated SSO, and access to Experience Cloud and connected applications.

• Admin & developer controls: Configurable Auth Providers and Connected Apps allow integration with social and enterprise IdPs, with APIs for managing authentication, policies, and tokens.

Limitations

• SCIM directionality: Salesforce’s SCIM endpoints are inbound only. They are used for provisioning in to Salesforce. There’s no public documentation showing Salesforce acting as an outbound SCIM 2.0 provisioner to other apps.

• Advanced OAuth profiles: Documentation emphasizes core OIDC/OAuth 2.0 flows; not enough public evidence of PAR, DPoP, or mTLS/FAPI support.

• Feature placement: Some customer/partner identity capabilities (e.g., registration, communities) exist under Experience Cloud and may require additional licensing.

• Terminology & setup complexity: Multiple configuration surfaces—Connected Apps, Auth Providers, and IdP/SP settings—can be confusing.