If you’re a Pardot Admin you’ve likely seen communications related to the Spring ’21 release specific to new Single Sign-On (SSO) changes.
We’ve learned a lot when driving awareness of this change to our internal teams, partners, and customers. So, how will Pardot authentication change? We want to hone in on what’s essential, provide you reassurance, and clarify common questions so you can best prepare for this change.
User Access to Pardot via Salesforce SSO
Beginning on February 15, 2021, Pardot’s user authentication system will be discontinued and all users will be required to use Salesforce SSO. This means that all Pardot users without Salesforce SSO enabled by February 15 will lose the ability to log into Pardot until they are connected to a Salesforce user.
For customers that have yet to enable the Pardot Lightning App, and do not have Salesforce user licenses, we’ve provisioned 100 identity user licenses to make this a smooth transition.
Since this is an authentication change, Pardot users will experience no changes to their day-to-day use of the product, except for those who choose to purchase Salesforce, Service, or CRM licenses for their Pardot users to begin using the Pardot Lightning App.
Customers using Pardot Classic will use Salesforce identity licenses to authenticate, however, this will not give them access to Pardot Lightning or Salesforce objects.
To summarize this visually, users that log-in to Pardot Classic via https://pi.pardot.com/ will no longer be able to use their Pardot username and password to authenticate. They will, however, be able to authenticate with Salesforce SSO by pressing the “Log In with Salesforce” button. All fields outlined in red will be removed from the log-in screen.
Simply put, you will be locked out of your Pardot Account on February 15th, 2021 if you don’t adopt Salesforce SSO.
What is Pardot SSO?
Pardot historically has maintained its own authentication method. Single sign-on is an authentication method that enables users to access many Salesforce applications with one login and one set of credentials.
Why did we do this?
Salesforce SSO provides a more fully-featured and secure authentication experience than Pardot’s legacy authentication, including the following.
- Salesforce SSO has the ability to use external identity providers and applications to support user sign on. For example, if your enterprise already has an SSO system, it can probably integrate with Salesforce SSO, eliminating the need for your users to create separate Salesforce credentials.
- Multi-factor authentication provided by Salesforce SSO protects your Pardot account with best practices in modern user authentication, including a certificate-based authentication options.
- Administrators can configure richer security options within Salesforce, such as the ability to require reauthentication before sensitive operations are permitted.
- Salesforce SSO features other modern security best practices, including setting trusted IP address ranges and the ability for Administrators to audit details about user sessions.
- Reduces the effort for users and admins by aligning users across both systems.
Given the rich feature set provided by SSO, we believe that this change is in the best interest of our users. It will also allow Pardot’s product development teams to focus on bringing Pardot customers new best-in-class B2B marketing features.
Does this impact me?
Yes, there are two ways this impacts Pardot customers: User Authentication and API Authentication.
1. User Authentication
The process by which users log-in.
- Next Steps: Our Admin Guide will take you step-by-step through this process: Pardot User Migration Admin Guide. Salesforce has provisioned 100 identity licenses to all Pardot customers that allows users to authenticate at no cost. This guide details the steps needed to be taken to change user authentication to Salesforce SSO.
2. API/Connector Authentication
The process by which third-party independent software vendors (ISVs) authenticate to Pardot, e.g. the WordPress plug-in, webinars providers, and conversational marketing tools.
- Summary: All integrated technologies will need to update their OAuth method to meet the security standards. Meaning that if you have integrations to Pardot your software vendor will need to make this new authentication method available by updating the connector authentication method.
- Next Steps: We have updates in our FAQ under Pardot API which call out several popular third-party API integrations. Please reach out to your software vendor’s support channels to request this update and get feedback on when a solution will become available.
What should I know before I update User Authentication?
When reviewing the steps to update user authentication methods in the User Migration guide there are two features we recommend, which when enabled cannot be reversed. Most customers should enable them, however, there are a couple of nuanced considerations to evaluate before turning them on. Let’s review!
1. Upgrade your connector
Customers who purchased Pardot prior to February 11, 2019 may have a V1 connector. We now have a new version of the connector (V2) that is not user-based, which means that it doesn’t consume a Salesforce license or stop syncing due to user authentication errors. This connection is always on unless intentionally paused and the metadata can be refreshed on-demand.
Read more: Salesforce Connector for Pardot v1 vs. v2: Key Differences
The V2 connector is permanently connected to its corresponding Salesforce Org, and therefore a small minority of customers may choose to delay this upgrade. This is an edge case considerations for Pardot customers planning major infrastructure changes such as migrating from one Salesforce org to another. For example, this use case might be common for late-stage startups that are considering merger and acquisition opportunities.
2. Salesforce User Sync
Allows companies to reduce admin overhead by aligning the Salesforce and Pardot access to the Salesforce user. This is particularly valuable for organizations with a high volume of marketing, sales, and service users because admins only need to manage access in Salesforce once enabled. Once enabled, this feature cannot be disabled.
While this is a great benefit for most of our customers, those who have configured a custom email domain that differs from their Salesforce user may choose not to enable it. Let’s say you’re Salesforce user domain is “salesforce.com“ but your Pardot email domain is ”pardot.com“, to keep this sending domain you would not be able to enable user sync.
What’s next?
Make sure to download the Pardot User Migration Admin Guide and schedule a meeting with your Pardot and Salesforce admins to discuss steps and assign tasks. There’s a handy project planning sheet to keep you on track. If you want an expert to help, we recommend working with a certified Salesforce Pardot consulting partner.
Finally, start evaluating all your Pardot integrations and check if they’ve reported to us that they’ve made the needed changes. If they have not communicated the new authentication timeline and instructions reach out to their support for updates. Specifically, share the Official Announcement and ask when they will be updating to their new authentication method. Finally, check the Pardot User Migration FAQ for any outstanding questions you may have about this change.