Pardot Authentication Retirement FAQ
It's time to stop ignoring the increasingly urgent messages in your Pardot org about Salesforce SSO being required after Feb 15th and do something about it.
February 15th is a Monday, by the way, so the last day to enact this change isn't a very good day to run to your Salesforce admin with a bunch of urgent changes.
The documentation for the changes you have to make are here and here. I thought I'd point out a few why's and wherefores that I've seen come up that the documentation doesn't completely address.
What Does this Mean in Practice?
First, it means that when you login at pi.pardot.com you in effect MUST use the login with Salesforce button. It's unclear what will become of the Pardot login fields on this page after the 15th, I imagine they will go away and you will only be able to use the salesforce login button.
So in effect this means ALL Pardot users must have Salesforce login credentials after the 15th of February, 2021. No more "Pardot-only" users.
How can I tell how many Pardot only users I have?
In the User section of Pardot, under "view", select "Pardot-only users" and see how many you have.
If you don't have any, you're in good shape, you just have to enable SSO and you're pretty much good to go. If you have Pardot-only users, you must give them a way to log in with Salesforce credentials.
Can I have SSO enabled but still have Pardot-only users?
I believe the answer here is yes. So it's best to check.
But I don't have enough Salesforce Licenses!
That's ok. Pardot has supplied you with 100 "identity licenses" to issue to Pardot-only users. These are special Salesforce licenses that essentially will allow the user to login to to pi.pardot.com but have no other salesforce permissions.
Will an identity license allow access to the Pardot Lightning App?
No, it does not. Salesforce is working toward a future where Pardot becomes more and more on-platform and full utilization will require some form of Salesforce license. We are already partway there, as connected campaigns requires you to create and manage campaigns in Salesforce exlusively.
How do I Control Pardot Role Access with Identity Licenses?
The identity license has a standard Salesforce profile it's matched with called Identity User. I recommend cloning this profile into at least 2 identity licenses specifically for Pardot role sync-- call one Pardot Indentity Admin and the other Pardot Identity Marketing. This way you can match the approrpriate Pardot Role permissions with and equivalent profile. If you have custom roles with Pardot-only users assigned to those, you'll need to create more profiles.
What if I'm on connector Version 1?
What connector you are on is in your Pardot account. The documenation recommends you upgrade to V2 first, and while not strictly necessary, I also recommend it, especially if you aren't using marketing data sharing and business units. It's relatively painless and only takes about 15 minutes, I covered this in a prior blog post. You can do this as a Pardot admin with no help from a Salesforce Admin, but I recommend doing this first and plenty early, as thare have been instances where it hangs up on reconnecting, and you don't want to be submitting THAT ticket to Pardot support on the 15th. The only caveat here is if you had any special processes running in Salesforce based on your Pardot connector user, changing to the special B2BMA connector user (recommended), these processes will break. So it's a good idea to check with your Admin to make sure that noting is watching the Pardot connector user and taking actions in Salesforce when the Pardot user does something.
What if I use a custom URL for Salesforce login?
Some users have noted that logging in to Pardot with Salesforce if you have a custom URL requries extra steps from pi.pardot.com if you have a custom URL. This might seem to be the case, but if your Salesforce admin has your org enabled to continue logging in from login.salesforce.com, then you don't actually have to put in the custom URL. You can just log in with your salesforce credentials without putting in the custom URL.
In Salesforce setup this is under My Domain Settings. Uncheck the box from Login Policy (if it is, in fact, checked).
What about services like Zapier, OptinMonster, Wordpress Plugin and others that use the Pardot Login system for authentication?
This one is gonna be the huge gotcha for many people who aren't thinking about all the extra things in your stack and how they connect to Pardot. Anything that used the old Pardot system to authenticate (basically you logged in with your Pardot credentials and used the API keys from your Pardot account)-- anything that connected in that way WILL BREAK AFTER FEB 15! Many vendors have made the necessary adjustments already, but you still have to go into every single system and re-connect using a different way. My recommedation is inventory every third party system you have that "talks" to Pardot and go through each one systematically and check the connections as soon as possible. Most likely you will need to reconnect using a different method if they have updated their tools. If they don't offer a way to connect using Salesforce login credentials by now, you will need to check their knowledgebase for a statu update or send a strongly worded letter to their development team to get their act together, since this has been a well-known change coming for quite a long time. And while we're on this subject, this would be a good opportunity to use those identity licenses to create a login user specific to each one of your external services you're connecting to. This helps considerably with debugging when third party services go awry. There's a great blog post on this topic outlined here: https://marcloudconsulting.com/sf-basics/salesforce-sso-apis
Should I transition to managing Pardot users in Salesforce?
This isn't required before the 15th, but you might want to consider it since you're doing all this work. There are some considerations there, which will be the topic of another post.
If you've gotten this far, congratulations!