|Applies to: Lightning|
One of the simplest things you can do to help improve user adoption of Salesforce is to enable Single Sign On (SSO). SSO creates a trust relationship between your corporate network login and Salesforce. This relationship lets users bypass the Salesforce login and directly begin accessing Salesforce records. It also improves your overall security model by having a single identity provider, Active Directory. This means when a user loses access to your corporate network, they can also lose access to Salesforce.
There are many other benefits as well, so why doesn’t everyone do this? The reason I didn’t do it was I thought it was too complicated and I’d never understand how. My hope is this step by step guide will help you through the process.
To get started you will need to setup your My Domain in Salesforce. If you have not done that, do it now. You will then need to work with your corporate network administrator as this requires configuration on Azure. Schedule 30-60 minutes with them and you’ll be able to knock this process out and your Salesforce users will love you. Let’s get started!
Each step below is prefaced with who is responsible to complete it. SA means it’s the Salesforce Administrator’s responsibility while AD will mean it’s your Active Directory Administrators role.
SA: Sign into Salesforce
AD: Sign into Azure Active Directory site: https://aad.portal.azure.com
AD: Select Enterprise applications
AD: Press the New Application button
AD: In the Add from gallery section, type in Salesforce
AD: Select the appropriate type of Salesforce org you’re connecting to and you’ll see the Salesforce Add App panel appear.
AD: In the Name, I would recommend naming it something that will help you recall what this is being used for. For a production org, you might call it Salesforce SSO. For a dev org, you might call it Salesforce Dev1 SSO. Press the Add button at the bottom of the screen.
AD: Select Single sign-on from the application menu then click the SAML card
You should now be on a screen that looks like the one below. It walks us through each step we need to take.
SA: Go to Salesforce and press the Gear to open Setup
SA: In the Quick Find type in Single Sign-on and select it.
SA: Press Edit, Enable SAML, and press Save
SA: Press the Choose File and upload the Certification you downloaded from Azure
SA: For the SAML Identity Type, select Assertion contains the Federation ID from the User object
SA: Press Save
SA: From the Setup Quick Find, type in Users
SA: Edit the user’s Federated Id field to add the user’s Azure email address
SA: Repeat this step for all users.
AD: Go back to Microsoft Active Directory
AD: Select Properties from the application menu
AD: Scroll down to the bottom of the page to the User assignment required? And select No then Save. This will make the application available to all your Azure Users. If you want to be more restrictive, leave this setting as Yes. Then use Users and groups to control who has access to this application.
SA: Go back to Salesforce
SA: In the Setup, in the Quick Find search, type and select My Domain
SA: Press Edit in the Authentication Configuration section. Check the Azure AD option, or whatever you named the Identity Provider, and press Save. You could also deselect the Login Form if you want to force users to only authentic using their corporate login.
SA: Sign out of Salesforce or open an Incognito browser window.
SA: Type your My Domain login page into the URL of your browser. Ie: https://universalcontainers.my.salesforce.com
SA: You should see an Azure AD button below the login form. If you deselected the Login Form on the My Domain settings, only the Azure button will appear.
SA: Press the Azure AD button.
SA: If you’re already logged into Azure, Salesforce will open immediately. If not, you’ll be provided by Microsoft to sign in.
If everything worked as it should, your users will no longer need to be provided a Salesforce username and password. They still have to be setup with a username but you wouldn’t have to share it with them.
If you wish to take this one step further, Salesforce has a product called Identity Connect which automatically provisions, ie: syncs, Salesforce users with Active Directory. With that product, your corporate network administrator can manage Salesforce users all from within Active Directory.
I help you found this guide helpful. As always, I’m happy to help so reach out if I can be of assistance. Thanks for taking the time to read my blogs. Be sure to register so you’re notified of all my new posts.