Community users provisioning - Answers - Salesforce Trailblazer Community
Ask Search:
John SimonaJohn Simona 

Community users provisioning

We have a SF app (with users). We are making a new community for our customers.

New users are provisioned during SSO. BTW, users should be Community Only. I.E. should not have access to real SF application or edit existing settings. For every user a contact created on some predefined account and every user has profile with pre-defined 'Customer Community' license. Then this profile is added to community allowed list.

1. Am I Correct, that used license is exactly community only?

2. Is it correct approach to create community users through contacts, profiles and license for every community user (would it clash with exisitng users)? A bit confusing relation of user and contact

3. Federation ID should be used for user provisioning during SSO. But if there is already user with such email but without federation id, is it possible to connect existing SF user to external user? (not manually but usgin SAML) 

Thanks
Jeff MayJeff May
Each Community user is based on a Contact in Salesforce.  You can assign an SSO Federation ID to the user record if you have an SSO entry for those Community users.

A Salesforce User (someone with a Salesforce license) can also be allowed to access the Community, but they will access it as a Salesforce user -- not as a Community license user. So, they will see all the same records they see in your internal org.
 
John SimonaJohn Simona
Let me know if I am wrong. 

I am a company - MyC. 
My client - CC. So we have an appropriate account in salesforce for this company. 
My client company people are stored as contacts in CC account.
Community users should be assigned to some account as well, so the new account is needed for new community users.
Looks like I have one more client (because of a new account MyC). Looks like I'm working with myself. 
But this account purpose is only to contain community users (my clients, but not my workers). 

So real client companies accounts and community user accounts are being mixed up
Jeff MayJeff May
You don't need a new Account for your client's company people (Contacts). You add them as Contacts to CC.
John SimonaJohn Simona
Clients are from different companies. They should have access to my Customers community due they use my external service.

It is impossible to detect their company during SSO provisioning and associate with an appropriate existing company account. So all users will be assigned to community account
Therefore some clients people will have duplicated contact (first in CommunityAccount and second in hist ClientCompanyAccount)

As for me it is too complex solution
Jeff MayJeff May
Each client will have its own Account. And its employees will be Contacts on that Account. I would be really surprised if any of your clients allowed you to have control over their SSO -- so I think SSO for your Community users is not an option.
John SimonaJohn Simona
In general, my clients should be able to login to my community. Some of the clients already present as SF contact, but some not.
You are right, but during SSO is it not possible to detect to which account new user should be assigned. So all provisioned users are assigned to the new MyCommunity account.
It leads to contact duplicates (for already existing client contacts)