Azure Active Directory single sign-on/provisioning integration with Salesforce

Question

Hi,

I have SSO between Salesforce and Azure AD. I'm also using provisioning to create the users in Salesforce. Everything works fine, but I need another field to pass to Salesforce: The Application Groups that the user belongs. It is possible to add a field to the User in Azure AD with this information and mapping it in Provisioning -> Attribute Mapping with Salesforce?

For user provisioning I have created several groups in the app. For each group I assign a role(profile in Salesforce). Then I assign users to the specific groups. The provisioning start and I also want to send the group(s) that the user is member.

In SSO I can create an additional claim with this information (user.groups [ApplicationGroup]). But I can't do this mapping between Azure AD and Salesforce mapping attributes.

It is possible to do this?

Thanks

Answer 1

Hi @Joao Ferreira

You can see all the supported attributes here:

Azure AD > Enterprise Applications > Salesforce > Mapping > Provision Azure Active Directory Users > Click on Add New Mapping link and under Source attribute drop down.

The attribute list for Azure Active Directory doesn't include group membership attribute. You can request additional attributes you would like to see supported here.

As of now, you can only use appRoles to provision users in Salesforce with specific roles.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.