Single Sign On with Microsoft Azure AD

Terry’s Tidbits: Single Sign On with Microsoft Azure AD
April 3, 2019

Single Sign On with Microsoft Azure AD

Applies to: Lightning

One of the simplest things you can do to help improve user adoption of Salesforce is to enable Single Sign On (SSO).  SSO creates a trust relationship between your corporate network login and Salesforce.  This relationship lets users bypass the Salesforce login and directly begin accessing Salesforce records. It also improves your overall security model by having a single identity provider, Active Directory. This means when a user loses access to your corporate network, they can also lose access to Salesforce.

There are many other benefits as well, so why doesn’t everyone do this?  The reason I didn’t do it was I thought it was too complicated and I’d never understand how. My hope is this step by step guide will help you through the process. 

To get started you will need to setup your My Domain in Salesforce. If you have not done that, do it now.  You will then need to work with your corporate network administrator as this requires configuration on Azure.  Schedule 30-60 minutes with them and you’ll be able to knock this process out and your Salesforce users will love you.  Let’s get started!

Each step below is prefaced with who is responsible to complete it. SA means it’s the Salesforce Administrator’s responsibility while AD will mean it’s your Active Directory Administrators role. 

Step 1

SA: Sign into Salesforce

Step 2

AD: Sign into Azure Active Directory site:  https://aad.portal.azure.com

Step 3

AD: Select Enterprise applications

Active Directory - Enterprise Application

Step 4

AD: Press the New Application button

Application button

Step 5

AD: In the Add from gallery section, type in Salesforce

Salesforce gallery section

Step 6

AD: Select the appropriate type of Salesforce org you’re connecting to and you’ll see the Salesforce Add App panel appear.

Step 7

AD: In the Name, I would recommend naming it something that will help you recall what this is being used for.  For a production org, you might call it Salesforce SSO.  For a dev org, you might call it Salesforce Dev1 SSO. Press the Add button at the bottom of the screen.

Active Directory - Salesforce Add App

Step 8

AD: Select Single sign-on from the application menu then click the SAML card

Active Directory - Single Sign On

You should now be on a screen that looks like the one below.  It walks us through each step we need to take.

single sign-on preview screen

AD: Starting with Step 1:

  • Press the edit pencil in the Basic SAML Configuration section
  • Enter your Salesforce My Domain address in both the Identifier (Entity ID) (Required) and Sign on URL (Required) fields.  It should look something like:  https://universalcontainers.my.salesforce.com
  • Press Save.  You can then press the X in the top right to close the screen.

AD: Step 2:

  • Press the edit pencil in the User Attributes & Claims section
  • Press the edit pencil next to the Name identifier value. 
User attribute and claims
  • I typically use the Source attribute of user.mail.  Press Save then the X to close the screen.
Manage user claims in active directory

AD: Step 3:

  • In the SAML Singing Certificate section, press the Download link next to Certificate (Base64)
  • Also download the Federation Metadata XML

SA: Go to Salesforce and press the Gear to open Setup

SA: In the Quick Find type in Single Sign-on and select it.

SA: Press Edit, Enable SAML, and press Save

AD Single Sign on Settings
AD Single Sign on Settings 2

SA: Press the Choose File and upload the Certification you downloaded from Azure

SA: For the SAML Identity Type, select Assertion contains the Federation ID from the User object

SA: Press Save

SA: From the Setup Quick Find, type in Users

SA: Edit the user’s Federated Id field to add the user’s Azure email address

SA: Repeat this step for all users.

AD: Go back to Microsoft Active Directory

AD: Select Properties from the application menu

AD: Scroll down to the bottom of the page to the User assignment required? And select No then Save. This will make the application available to all your Azure Users.  If you want to be more restrictive, leave this setting as Yes.  Then use Users and groups to control who has access to this application.

SA: Go back to Salesforce

SA: In the Setup, in the Quick Find search, type and select My Domain

SA: Press Edit in the Authentication Configuration section.  Check the Azure AD option, or whatever you named the Identity Provider, and press Save.  You could also deselect the Login Form if you want to force users to only authentic using their corporate login.

authentic configuration screen

SA: Sign out of Salesforce or open an Incognito browser window.

SA: Type your My Domain login page into the URL of your browser. Ie: https://universalcontainers.my.salesforce.com

SA: You should see an Azure AD button below the login form. If you deselected the Login Form on the My Domain settings, only the Azure button will appear. 

Login Form in Azure AD

SA: Press the Azure AD button.

SA: If you’re already logged into Azure, Salesforce will open immediately.  If not, you’ll be provided by Microsoft to sign in.

If everything worked as it should, your users will no longer need to be provided a Salesforce username and password.  They still have to be setup with a username but you wouldn’t have to share it with them. 

If you wish to take this one step further, Salesforce has a product called Identity Connect which automatically provisions, ie: syncs, Salesforce users with Active Directory.  With that product, your corporate network administrator can manage Salesforce users all from within Active Directory.

I help you found this guide helpful. As always, I’m happy to help so reach out if I can be of assistance. Thanks for taking the time to read my blogs. Be sure to register so you’re notified of all my new posts.

Subscribe to Receive New Posts

Leave a Reply