Single Sign-on (SSO) for Salesforce with Microsoft Azure AD
What Is SSO?
SSO is an abbreviation of Single Sign-On. It is a method for granting access to multiple applications to users with a single login credential. The third-party software is used in Integration with Salesforce. The SSO method is extremely helpful in the authentication of multiple apps with the same details. The third-party tool can be customized according to your organization.
Why Should We Use SSO?
SSO is an amazing tool that offers its users security and convenience. Here are some advantages it provides
- The functionality to login using credentials of any Salesforce trusted the third party.
- It eliminates the need for login for every application.
- Allows the users to move seamlessly between applications and Salesforce org without requiring repeated logins.
- It allows configuration of SSO depending on the use case so users can access the Salesforce org from a third-party application like a corporate portal.
- You can set up SSO and allow users to login into another application using your Salesforce org.
- You can configure an SSO chain allowing uses to login to a third-party application to access Salesforce and use the access to login to another org.
- It allows you to configure a login experience that is less centralized and users get to log in to multiple apps using the same credentials.
Implementation
The article explains how to set up SSO for Salesforce using an already existing Azure AD setup.
Technical Design Diagram
Configuration of Azure AD
- Sign in to Azure Active Directory site: https://aad.portal.azure.com
Create Application
- Go to the menu in the left bar and select the option of “Enterprise applications”
- Then click on the “New application” button with a plus sign on it.
- Go to the Add option in the gallery and type “Salesforce” or “Salesforce sandbox”.
The name of the app name must be set according to the organization type and purpose. For example, if your organization is associated with production, you can name it Salesforce SSO. In the case of a development relation org, you can name it DEV1 SSO. Then, click on the add button that is placed at the bottom of the screen.
Don't forget to check out: What is Single Sign-On (SSO)? How does it work in Salesforce?
Add AD Users to Newly Created Application Group
Make sure that all the users that need to be enabled for Azure AD SSO, are existing in Azure AD. If they do not exist, then please create users in AD first.
- Navigate to the Microsoft Active Directory
- Choose properties from the application option in the menu
- Then you need to scroll down and reach the page’s bottom. Click on the No in the User assignment required section. Save it. This option will enable all azure users to access the application. If you want the privacy to be set as restricted you can select yes. You can utilize the groups and users for controlling access to the application.
Configuration of Application
- You will see an edit pencil. Access it by clicking on it and you will get access to the Basic SAML configuration settings.
- The details you will find in text fields include Identifier (Entity ID) and Sign-on URL. Both are required. The URL of required fields looks like https://Mydomain.my.salesforce.com
- To save the settings you must click on Save. By clicking on the cross button present on the top right will close the screen.
- Press the edit icon in the User Attributes & Claims section
- Press the edit icon that is present next to the Name identifier value.
- I prefer to use the source attribute of the user.mail, save changes and close the screen.
- There is a download link beside Certificate raw in the section labelled SAML Signing Certificate.
Configuration of Salesforce
- Sign in to the Salesforce, click on the Gear icon and the setup will open.
- Type single sign-on in the Quick Find and press enter.
- Enable SAML by clicking edit and save the changes.
SA: Click on Choose File, upload the certification you got from the add issuer or Azure. Login URL and entity ID and you will be able to find all the details on Azure as shown in the picture below
- Or you can use SAML XML metadata file and upload it in Salesforce that will auto-fill up the setting
- For the SAML Identity Type, the Assertion tab has Federation ID from the User object.
- Click on Save
- Type Users in the Setup Quick Find.
- You can edit the Federated ID field of the user and add the Azure email address.
- The same steps can be used for all the users.
- Log in to the Salesforce.
- Log in the Salesforce.
- Type My Domain in the Quick Find search and click on search.
- Go to the Authentication configuration and click on Edit. Check the name of the Identity provider and save the changes. You also have the option of deselecting the Login form if you are looking to only allow users with authentic corporate login to get access.
- Sign out from Salesforce or use an incognito Sign out of Salesforce window
- Write My Domain in the URL of the browser for example https://MyDomain.my.salesforce.com
- There is going to be an Azure AD button under the login form. By deselecting the login form on the Domain settings, you will only see the Azure button.
Check out another amazing blog by SP Tech here: A Complete Guide on Salesforce DocuSign Integration
Process of Configuring Automatic User Account Provisioning
- The purpose of the section is to highlight the process of enabling the user in provisioning active directory user accounts in Salesforce.
- Go to the Azure portal and browse Active Directory then click on Enterprise Apps and go to all applications section.
- If Salesforce for single sign-on is already configured then you can use the search field to look for an instance of Salesforce. When not in Salesforce instance, add the icon and go to the application gallery and search for Salesforce. Choose Salesforce and add it to the applications list.
- Select the Salesforce instance and provisioning tab.
- Give the following configuration settings using the section of Admin Credentials.
- a. Put the Salesforce Account name in the admin username box. The account you use must have an administrator profile assigned in Salesforce.
- b. Type the correct password in the textbox labelled Admin password.
- To get the security token, open another tab and sign in to the admin Salesforce account. Your name will be visible in the top right corner and clicking on it will take you to the settings.
- The new security token will be sent to the account associated with the admin ID.
- You can copy-paste the token in the Secret token field of the Azure AD window.
- If the instance of Salesforce is present on the Salesforce government cloud, then you should enter the Tenant URL. If that is not the case you have the option of entering the tenant URL by using the following format; https://<your-instance>.my.salesforce.com,” replacing <your-instance> with the name of your Salesforce instance.
- Go to the Azure portal and clicking on the Test Connection in the Azure Portal will ensure the connection between the Salesforce app and Azure AD.
- Enter the email address of an individual or a group in the field of the notification email and they will receive notifications of provisioning errors and take a look at the checkbox.
- save the changes
- The option of Synchronized Azure Active Directory users is present under the mappings section.
- You can check out and review the attributes of users in the attribute mapping section. The user attributes are synched from Azure AD to Salesforce. The matching attributes are used for matching accounts in Salesforce to ensure updated operations. Do not forget to save the changes.
- To activate the provisioning of Azure AD you need to go to the Settings section and changing the status of provision to ‘ON’.
- Save the changes.
Assumptions
The user should exist in Azure. Or User should be created in Azure AD first. It is assumed that licenses for both Azure AD and Salesforce are already in place.
Concerns & Issues
Configuring SSO can be complicated, and both the service providers should be well mapped in the user entity. Requires a two-party license and hence not cost-effective.
Blog Source: SP Tech
Is there any way to free up the salesforce license when a user leaves? I mean if the user is removed from Azure AD they won't be able to login to salesforce but still their license will be occupied until we log in to salesforce and deactivate their user in salesforce. Is there a way to automate this?