Community users provisioning
New users are provisioned during SSO. BTW, users should be Community Only. I.E. should not have access to real SF application or edit existing settings. For every user a contact created on some predefined account and every user has profile with pre-defined 'Customer Community' license. Then this profile is added to community allowed list.
1. Am I Correct, that used license is exactly community only?
2. Is it correct approach to create community users through contacts, profiles and license for every community user (would it clash with exisitng users)? A bit confusing relation of user and contact
3. Federation ID should be used for user provisioning during SSO. But if there is already user with such email but without federation id, is it possible to connect existing SF user to external user? (not manually but usgin SAML)
A Salesforce User (someone with a Salesforce license) can also be allowed to access the Community, but they will access it as a Salesforce user -- not as a Community license user. So, they will see all the same records they see in your internal org.
I am a company - MyC.
My client - CC. So we have an appropriate account in salesforce for this company.
My client company people are stored as contacts in CC account.
Community users should be assigned to some account as well, so the new account is needed for new community users.
Looks like I have one more client (because of a new account MyC). Looks like I'm working with myself.
But this account purpose is only to contain community users (my clients, but not my workers).
So real client companies accounts and community user accounts are being mixed up
It is impossible to detect their company during SSO provisioning and associate with an appropriate existing company account. So all users will be assigned to community account
Therefore some clients people will have duplicated contact (first in CommunityAccount and second in hist ClientCompanyAccount)
As for me it is too complex solution
You are right, but during SSO is it not possible to detect to which account new user should be assigned. So all provisioned users are assigned to the new MyCommunity account.
It leads to contact duplicates (for already existing client contacts)