Terry’s Tidbits: Single Sign On with Microsoft Azure AD

Apex Trigger Framework
Implement a Salesforce Trigger Framework
March 10, 2019
Single Sign On with Microsoft Azure AD
April 12, 2019

Terry’s Tidbits: Single Sign On with Microsoft Azure AD

One of the simplest things you can do to help improve user adoption of Salesforce is to enable Single Sign On (SSO). SSO creates a trust relationship between your corporate network login and Salesforce. This relationship lets users bypass the Salesforce login and directly begin accessing Salesforce records. It also improves your overall security model by having a single identity provider, Active Directory. This means when a user loses access to your corporate network, they can also lose access to Salesforce.


There are many other benefits as well, so why doesn’t everyone do this? The reason I didn’t do it was I thought it was too complicated and I’d never understand how. My hope is this step by step guide will help you through the process.

To get started you will need to setup your My Domain in Salesforce. If you have not done that, do it now. You will then need to work with your corporate network administrator as this requires configuration on Azure. Schedule 30-60 minutes with them and you’ll be able to knock this process out and your Salesforce users will love you. Let’s get started!

Each step below is prefaced with who is responsible to complete it. SA means it’s the Salesforce Administrator’s responsibility while AD will mean it’s your Active Directory Administrators role.

Click to Tweet: Here’s a helpful step by step guide to SSO between #Azure Active Directory and #Salesforce

[link to article]

SA: Sign into Salesforce AD: Sign into Azure Active Directory site: https://aad.portal.azure.com
AD: Select Enterprise applications

microsoft azure

AD: Press the New Application button

microsoft azure 2 - new application

AD: In the Add from gallery section, type in Salesforce

Azure - Add from gallery

AD: Select the appropriate type of Salesforce org you’re connecting to and you’ll see the Salesforce Add App panel appear.

AD: In the Name, I would recommend naming it something that will help you recall what this is being used for.  For a production org, you might call it Salesforce SSO.  For a dev org, you might call it Salesforce Dev1 SSO. Press the Add button at the bottom of the screen.

Add panel

AD: Select Single sign-on from the application menu then click the SAML card

SSO

You should now be on a screen that looks like the one below.  It walks us through each step we need to take.

Update SSO

AD: Starting with Step 1:

  • Press the edit pencil in the Basic SAML Configuration section
  • Enter your Salesforce My Domain address in both the Identifier (Entity ID) (Required) and Sign on URL (Required) fields.  It should look something like:  https://universalcontainers.my.salesforce.com
  • Press Save.  You can then press the X in the top right to close the screen.

AD: Step 2:

  • Press the edit pencil in the User Attributes & Claims section
  • Press the edit pencil next to the Name identifier value. 
User Attributes
  • I typically use the Source attribute of user.mail.  Press Save then the X to close the screen.
Manage user claims

AD: Step 3:

  • In the SAML Singing Certificate section, press the Download link next to Certificate (Base64)
  • Also download the Federation Metadata XML

SA: Go to Salesforce and press the Gear to open Setup

SA: In the Quick Find type in Single Sign-on and select it.

SA: Press Edit, Enable SAML, and press Save

SSO Settings

SA: Press the New from Metadata File button. 

SA: Press the Choose File and upload the XML file you downloaded from Azure

SA: Press Save and the screen below will appear

SAML SSO Settings

SA: Press the Choose File and upload the Certification you downloaded from Azure

SA: For the SAML Identity Type, select Assertion contains the Federation ID from the User object

SA: Press Save

SA: From the Setup Quick Find, type in Users

SA: Edit the user’s Federated Id field to add the user’s Azure email address

SA: Repeat this step for all users.

Click to Tweet: I’m setting up Single Sign-on for #Salesforce. Thanks to @TerrysTidbits, this has been easy. [link to article]

AD: Go back to Microsoft Active Directory

AD: Select Properties from the application menu

AD: Scroll down to the bottom of the page to the User assignment required? And select No then Save. This will make the application available to all your Azure Users.  If you want to be more restrictive, leave this setting as Yes.  Then use Users and groups to control who has access to this application.

SA: Go back to Salesforce

SA: In the Setup, in the Quick Find search, type and select My Domain

SA: Press Edit in the Authentication Configuration section.  Check the Azure AD option, or whatever you named the Identity Provider, and press Save.  You could also deselect the Login Form if you want to force users to only authentic using their corporate login.

authentication config

SA: Sign out of Salesforce or open an Incognito browser window.

SA: Type your My Domain login page into the URL of your browser. Ie: https://universalcontainers.my.salesforce.com

SA: You should see an Azure AD button below the login form. If you deselected the Login Form on the My Domain settings, only the Azure button will appear. 

ms azure login

SA: Press the Azure AD button.

SA: If you’re already logged into Azure, Salesforce will open immediately.  If not, you’ll be provided by Microsoft to sign in.

If everything worked as it should, your users will no longer need to be provided a Salesforce username and password.  They still have to be setup with a username but you wouldn’t have to share it with them.  If you wish to take this one step further, Salesforce has a product called Identity Connect which automatically provisions, ie: syncs, Salesforce users with Active Directory.  With that product, your corporate network administrator can manage Salesforce users all from within Active Directory.

Click to Tweet: Did you know that Identity Connect from #Salesforce synchronizes Active Directory users with Salesforce users?

I help you found this guide helpful. As always, I’m happy to help so reach out if I can be of assistance. Thanks for taking the time to read my blogs. Be sure to register so you’re notified of all my new posts.

Terry Miller
Terry Miller
Terry has spent over 20 years focused on business leadership and information technology. As an independent consultant, he enjoys working with a variety of customers to help them solve business problems using the Salesforce® platform. His ability to quickly identify bottlenecks and provide understandable solutions has gained him the trust of his customers. If you're looking for expert guidance on your next Salesforce® project, click here to contact Terry today.

Leave a Reply