OneLogin + Salesforce
Automate Identity and CRM Sync with OneLogin + Salesforce Integration
Keep user access, roles, and customer data aligned between your identity provider and CRM without manual intervention.
Why integrate OneLogin and Salesforce?
OneLogin and Salesforce do two very different jobs in your enterprise stack — one controls who gets access to what, and the other holds your most important customer relationships. When they're not talking to each other, IT teams spend hours manually provisioning users, reps lose access at the worst possible moments, and offboarding leaves security gaps open longer than anyone's comfortable with. Integrating OneLogin with Salesforce via tray.ai means identity events automatically trigger the right actions in your CRM, keeping both systems accurate, secure, and current.
Automate & integrate OneLogin & Salesforce
Use case
Automated User Provisioning from OneLogin to Salesforce
When a new employee is created and assigned to a Salesforce-connected app in OneLogin, tray.ai automatically provisions a matching Salesforce user with the correct profile, role, and license type. No IT tickets, no delays — reps can access Salesforce from day one without any manual admin steps between HR onboarding and CRM access.
Use case
Real-Time User Deprovisioning on OneLogin Offboarding
When a user is deactivated or removed from the Salesforce application in OneLogin, tray.ai immediately deactivates the corresponding Salesforce user and optionally reassigns their open records to a manager or successor. Former employees don't retain CRM access after departure, and both platforms stay in sync without manual IT intervention.
Use case
Role and Profile Updates Based on OneLogin Group Changes
When a user's group membership changes in OneLogin — say, a promotion from Sales Development Rep to Account Executive — tray.ai detects it and updates the corresponding Salesforce user's profile, role hierarchy, and permission sets. CRM access stays aligned with your org structure without operations teams manually cross-referencing group changes against Salesforce admin tasks.
Use case
SSO Login Activity Sync for Salesforce Compliance Auditing
tray.ai captures OneLogin authentication events and SSO login activity, then writes summarized access records or custom object entries into Salesforce for compliance and auditing. Security and compliance teams can use Salesforce reports and dashboards to track who logged in, when, and from where — without needing a separate SIEM integration.
Use case
Salesforce Contact Creation from OneLogin User Provisioning for Partners
When external partners or contractors are provisioned in OneLogin and assigned to partner-facing apps, tray.ai creates or updates corresponding Contact or Account records in Salesforce so partner managers have full visibility. Your Salesforce partner community reflects your live identity directory without manual data entry, and partner-facing teams can track onboarding status and access levels directly in the CRM.
Use case
Automated Salesforce User License Reclamation
tray.ai regularly queries OneLogin for inactive or suspended users and cross-references them against active Salesforce licenses to find reclamation opportunities. When a Salesforce license is held by someone who's no longer active in OneLogin, an automated alert or deactivation workflow fires. IT and operations teams get control over licensing costs without running manual audits.
Use case
Multi-Org Salesforce User Sync Triggered by OneLogin Events
For enterprises running multiple Salesforce orgs, tray.ai uses OneLogin provisioning events as a single source of truth to create or update users across all relevant Salesforce instances at once. A single group assignment in OneLogin fans out to provision the right user record, profile, and permissions in each target org — simplifying multi-org administration and keeping your entire Salesforce estate consistent.
Get started with OneLogin & Salesforce integration today
OneLogin & Salesforce Challenges
What challenges are there when working with OneLogin & Salesforce and how will using Tray.ai help?
Challenge
Mapping OneLogin Groups to Salesforce Profiles and Permission Sets
OneLogin organizes access through groups and roles, while Salesforce uses a layered model of profiles, roles, permission sets, and permission set groups. Keeping an accurate mapping between these two systems — especially as the org changes — is genuinely complex and breaks down fast when done manually.
How Tray.ai Can Help:
tray.ai lets you define and manage a dynamic mapping table inside your workflow that translates OneLogin group names or role IDs to the exact Salesforce profile API names and permission set IDs. When mappings change, you update the configuration in one place rather than digging through code or manual processes.
Challenge
Handling Salesforce API Limits During Bulk Provisioning Events
Large-scale onboarding events — a new team coming over after an acquisition, for instance — can trigger hundreds of simultaneous provisioning requests to Salesforce, and hitting API rate limits means partial or failed user creation.
How Tray.ai Can Help:
tray.ai has built-in rate limiting, retry logic, and batch processing that queues and throttles Salesforce API calls to stay within governor limits. Failed operations are automatically retried with exponential backoff and surfaced in error logs for review.
Challenge
Ensuring Bidirectional Data Consistency Between Systems
Changes made directly in Salesforce — like a Salesforce admin manually adjusting a user's profile — can fall out of sync with the authoritative state in OneLogin, creating drift that causes access inconsistencies over time.
How Tray.ai Can Help:
tray.ai can run scheduled reconciliation workflows that compare the current state in both OneLogin and Salesforce, identify discrepancies, and either auto-correct them based on a defined source of truth or flag them for IT review.
Challenge
Securely Handling Sensitive Identity and CRM Credentials
Integrating an identity provider like OneLogin with a data-rich system like Salesforce means carefully managing API credentials, OAuth tokens, and webhook secrets — otherwise you're creating new exposure on both platforms.
How Tray.ai Can Help:
tray.ai stores all credentials in an encrypted secrets vault and supports OAuth 2.0 flows natively for both OneLogin and Salesforce. Connections are scoped to least-privilege API access, and all workflow activity is logged with full auditability for security reviews.
Challenge
Managing Salesforce Record Ownership During User Deprovisioning
When a Salesforce user is deactivated, any records they own — leads, contacts, opportunities, cases — become orphaned or inaccessible unless ownership is transferred first. Identifying and reassigning those records at the moment of offboarding is time-sensitive and, done manually, is genuinely painful.
How Tray.ai Can Help:
tray.ai's deprovisioning workflow automatically queries all Salesforce records owned by the departing user and bulk-reassigns them to a designated fallback owner, manager, or queue using Salesforce's bulk API — all within the same automated flow that deactivates the user account.
Start using our pre-built OneLogin & Salesforce templates today
Start from scratch or use one of our pre-built OneLogin & Salesforce templates to quickly solve your most common use cases.
OneLogin & Salesforce Templates
Find pre-built OneLogin & Salesforce solutions for common use cases
Template
Provision Salesforce User on OneLogin App Assignment
Automatically creates a new Salesforce user with the correct profile, role, and license type whenever a user is assigned to the Salesforce application in OneLogin, mapping group attributes to Salesforce fields.
Steps:
- Trigger on OneLogin event: user assigned to Salesforce application
- Map OneLogin user attributes (department, title, group) to Salesforce user fields
- Create Salesforce user record with appropriate profile, role, and license via Salesforce API
Connectors Used: OneLogin, Salesforce
Template
Deactivate Salesforce User on OneLogin Offboarding
Listens for user deactivation or app removal events in OneLogin and immediately deactivates the matching Salesforce user, then reassigns their open records to a designated manager or team queue.
Steps:
- Trigger on OneLogin event: user deactivated or removed from Salesforce app
- Look up matching Salesforce user by email address
- Deactivate Salesforce user and bulk-reassign owned records to a fallback owner
Connectors Used: OneLogin, Salesforce
Template
Sync OneLogin Group Changes to Salesforce Profiles and Roles
Monitors changes to a user's group membership in OneLogin and automatically updates their Salesforce profile, role, and permission set assignments to reflect their new position in the org.
Steps:
- Trigger on OneLogin event: user group membership updated
- Apply configured mapping table to determine correct Salesforce profile and role
- Update Salesforce user record with new profile, role hierarchy, and permission sets
Connectors Used: OneLogin, Salesforce
Template
Write OneLogin SSO Events to Salesforce Custom Object for Audit
Captures authentication and SSO login events from the OneLogin event stream and writes structured records to a Salesforce custom object, enabling compliance dashboards and security review directly within Salesforce.
Steps:
- Poll or stream OneLogin event log for authentication and access events
- Transform event payload into Salesforce custom object field schema
- Upsert audit records into Salesforce custom object with timestamp, user, and event type
Connectors Used: OneLogin, Salesforce
Template
Reclaim Inactive Salesforce Licenses Based on OneLogin Status
Runs on a schedule to compare active Salesforce licensed users against current OneLogin user status, flagging or deactivating Salesforce accounts for users who are suspended or inactive in OneLogin.
Steps:
- Schedule trigger runs nightly or weekly
- Query all active Salesforce users and validate each against OneLogin user status via API
- Flag mismatches in a Salesforce report object or auto-deactivate users below a confidence threshold
Connectors Used: OneLogin, Salesforce
Template
Create Salesforce Partner Contact on OneLogin External User Provisioning
When an external partner or contractor is provisioned in OneLogin and assigned to a designated partner application, automatically creates or updates a corresponding Salesforce Contact under the correct Account for partner visibility.
Steps:
- Trigger on OneLogin provisioning event for users tagged as external or partner type
- Look up or create matching Account record in Salesforce using partner organization data
- Create or upsert Contact record in Salesforce with role, email, and provisioning metadata
Connectors Used: OneLogin, Salesforce