Okta + Salesforce
Automate Identity Management and CRM Workflows with Okta + Salesforce Integration
Sync user access, provisioning, and customer data between Okta and Salesforce to cut manual overhead and close security gaps.
Why integrate Okta and Salesforce?
Okta and Salesforce are two of the most relied-upon platforms in any modern enterprise stack — one governing who has access to your systems, the other housing your most important customer relationships. When they operate in silos, IT and RevOps teams burn hours manually provisioning accounts, reconciling user data, and chasing down access requests. Connecting Okta with Salesforce on tray.ai enables real-time, bi-directional data flows that keep identity management and CRM operations in sync.
Automate & integrate Okta & Salesforce
Use case
Automated User Provisioning and Deprovisioning
When a new employee is added to Okta, tray.ai automatically creates a corresponding Salesforce user with the correct profile, role, and permission sets based on their Okta group membership. When that user is deactivated in Okta, their Salesforce account is immediately suspended — no orphaned licenses, no unauthorized access.
Use case
Role-Based Salesforce Access Governed by Okta Groups
Map Okta groups directly to Salesforce profiles and permission sets so access always reflects a user's current organizational role. As employees move between teams or get promoted, Okta group changes automatically cascade to the correct Salesforce entitlements — no IT ticket required.
Use case
Salesforce Contact Enrichment from Okta User Profiles
When a new user is provisioned in Okta, tray.ai can create or enrich a corresponding Salesforce contact or lead record with verified profile data — name, email, department, manager. Your CRM stays populated with accurate internal stakeholder data without any manual entry.
Use case
Automated Salesforce License Reclamation
tray.ai monitors Okta deactivation events and triggers a workflow to suspend or deactivate the corresponding Salesforce user, reclaim their license, and log the action for audit purposes. Finance and IT teams get real-time visibility into active license counts without manual reconciliation.
Use case
Multi-Factor Authentication Compliance Enforcement in Salesforce
Use Okta's MFA status and authentication policy data to trigger conditional access workflows in Salesforce. If a user's MFA device is removed or their Okta authentication policy changes, tray.ai can automatically restrict their Salesforce session or flag the account for IT review.
Use case
New Salesforce Opportunity Alerts Routed by Okta Identity
When a high-value opportunity is created or updated in Salesforce, tray.ai uses Okta identity data to route alerts to the correct account owner, manager, or approver — so notifications reach the right person based on verified org structure rather than stale CRM role data.
Use case
Audit and Compliance Reporting Across Okta and Salesforce
tray.ai pulls together Okta access logs and Salesforce user activity into a unified compliance report, giving security and compliance teams a complete picture of who has access to Salesforce, what they're doing, and whether their access lines up with current Okta policies — no manual data pulls needed.
Get started with Okta & Salesforce integration today
Okta & Salesforce Challenges
What challenges are there when working with Okta & Salesforce and how will using Tray.ai help?
Challenge
Mapping Okta Groups to the Right Salesforce Profiles and Permission Sets
Salesforce has a layered access model — profiles, roles, permission sets, and permission set groups — while Okta organizes access through groups and app assignments. Mapping between these two models consistently and at scale, without hard-coding logic, gets complicated fast, especially as org structures change.
How Tray.ai Can Help:
tray.ai's data mapping and conditional logic tools let teams build dynamic mapping tables that translate Okta group memberships into the correct combination of Salesforce profiles and permission sets. These mappings can be updated centrally in tray.ai without rewriting integration logic, so it's straightforward to adapt as the organization grows.
Challenge
Handling Salesforce API Rate Limits During Bulk Provisioning Events
During large-scale onboarding events — an acquisition, a new team buildout — hundreds of Okta activation events may fire at once, each triggering Salesforce API calls that can quickly exhaust rate limits and cause provisioning failures.
How Tray.ai Can Help:
tray.ai includes built-in rate limit handling, request queuing, and retry logic that automatically throttle Salesforce API calls to stay within allowed limits. Bulk provisioning events are processed in controlled batches, so every user gets provisioned correctly without manual intervention or failed records.
Challenge
Ensuring Bi-Directional Data Consistency Without Infinite Loops
When both Okta and Salesforce can write to shared fields — user email or department, for example — a change in one system can trigger an update in the other, which then triggers another update back. These loops corrupt data and generate noise in both platforms.
How Tray.ai Can Help:
tray.ai provides event deduplication, source-of-truth flagging, and conditional workflow branching to prevent loop scenarios. Teams can define which system owns each field and configure tray.ai to skip updates when incoming data matches what's already stored, keeping data clean without runaway workflows.
Challenge
Keeping Salesforce User Records in Sync After Okta Profile Updates
When an employee changes their name, department, or role, Okta is typically updated first by HR systems. Those changes often don't reach Salesforce in time, resulting in stale user records that cause misrouted reports, incorrect opportunity ownership, and broken approval flows.
How Tray.ai Can Help:
tray.ai listens for Okta profile update events in real time and immediately pushes the relevant attribute changes to the corresponding Salesforce user record. Field-level mapping ensures only the relevant Salesforce fields are updated, reducing the risk of overwriting CRM-specific customizations.
Challenge
Auditing and Proving Compliance Across Two Separate Systems
Compliance frameworks like SOC 2 and ISO 27001 require organizations to demonstrate that access to sensitive systems like Salesforce is provisioned and deprovisioned in a timely, documented way. Pulling that evidence manually from two separate platforms is slow and error-prone.
How Tray.ai Can Help:
tray.ai logs every provisioning, deprovisioning, and access change event with a full audit trail — the trigger, what changed, the timestamp, and the acting system. These logs can be exported on demand or routed automatically to a SIEM or compliance reporting tool, giving auditors what they need without manual data assembly.
Start using our pre-built Okta & Salesforce templates today
Start from scratch or use one of our pre-built Okta & Salesforce templates to quickly solve your most common use cases.
Okta & Salesforce Templates
Find pre-built Okta & Salesforce solutions for common use cases
Template
Provision Salesforce User on Okta Activation
This template watches for new user activation events in Okta and automatically creates a fully configured Salesforce user with the correct profile, role hierarchy, and permission sets derived from the user's Okta group membership.
Steps:
- Trigger: Okta webhook fires when a new user is activated or assigned to a relevant group
- Map Okta user attributes (department, title, manager) to Salesforce user profile fields
- Create Salesforce user record with the appropriate profile and role based on Okta group
- Assign Salesforce permission sets matching the user's Okta entitlements
- Log provisioning event and send confirmation notification to IT and the user's manager
Connectors Used: Okta, Salesforce
Template
Deprovision Salesforce User on Okta Deactivation
Automatically suspends or deactivates a Salesforce user the moment their Okta account is deactivated, reclaims the Salesforce license, and generates an audit log entry — no manual steps required during offboarding.
Steps:
- Trigger: Okta event fires when a user account is deactivated or deleted
- Look up the corresponding Salesforce user by email address
- Deactivate the Salesforce user record and freeze active sessions
- Reclaim the Salesforce license and update license inventory record
- Write audit log entry with timestamp, actor, and affected user details
Connectors Used: Okta, Salesforce
Template
Sync Okta Group Changes to Salesforce Permission Sets
Monitors Okta group membership changes in real time and updates the corresponding Salesforce user's profiles and permission sets to reflect their new role — access stays current without an IT ticket.
Steps:
- Trigger: Okta event fires when a user is added to or removed from an Okta group
- Identify which Salesforce permission set or profile maps to the changed Okta group
- Add or remove the corresponding Salesforce permission set assignment for the user
- Update the Salesforce user's profile if a role-level change is detected
- Send a summary of access changes to the IT security inbox for review
Connectors Used: Okta, Salesforce
Template
Enrich Salesforce Contacts with Okta Directory Data
When a new user is provisioned in Okta, this template creates or updates the matching Salesforce contact record with verified directory attributes, keeping internal stakeholder data in the CRM accurate and current.
Steps:
- Trigger: New user created and activated in Okta
- Search Salesforce for an existing contact record matching the user's email
- Create a new Salesforce contact or update the existing record with Okta profile data
- Tag the contact with a custom field indicating the record was sourced from Okta
- Log the enrichment event for data governance tracking
Connectors Used: Okta, Salesforce
Template
Weekly Salesforce License Audit Against Okta Active Users
Runs a scheduled comparison between active Okta users and active Salesforce licenses to surface discrepancies — such as active Salesforce users who no longer have an active Okta account — and routes findings to IT for remediation.
Steps:
- Trigger: Scheduled run every Sunday night
- Pull the full list of active users from Okta via API
- Pull the full list of active Salesforce users and their license types
- Compare the two lists and identify users present in Salesforce but not active in Okta
- Generate a discrepancy report and send to the IT security and FinOps distribution lists
Connectors Used: Okta, Salesforce
Template
Okta MFA Non-Compliance Alert and Salesforce Access Restriction
Detects when a Salesforce user's Okta MFA enrollment lapses or is removed and automatically restricts their Salesforce session while notifying the security team — continuous MFA compliance without manual monitoring.
Steps:
- Trigger: Okta event fires when a user's MFA factor is unenrolled or reset
- Look up the corresponding Salesforce user account by email
- Apply a restrictive Salesforce permission set that limits sensitive data access
- Create a Salesforce case or IT service ticket flagging the compliance gap
- Send immediate alert to the security operations team with user and event details
Connectors Used: Okta, Salesforce