Tutorial: Azure Active Directory integration with Salesforce Sandbox
In this tutorial, you learn how to integrate Salesforce Sandbox with Azure Active Directory (Azure AD).
Integrating Salesforce Sandbox with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Salesforce Sandbox.
- You can enable your users to automatically get signed-on to Salesforce Sandbox (Single Sign-On) with their Azure AD accounts.
- You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see what is application access and single sign-on with Azure Active Directory.
To configure Azure AD integration with Salesforce Sandbox, you need the following items:
- An Azure AD subscription
- A Salesforce Sandbox single sign-on enabled subscription
To test the steps in this tutorial, we do not recommend using a production environment.
To test the steps in this tutorial, you should follow these recommendations:
- Do not use your production environment, unless it is necessary.
- If you don't have an Azure AD trial environment, you can get a one-month trial.
In this tutorial, you test Azure AD single sign-on in a test environment. The scenario outlined in this tutorial consists of two main building blocks:
- Adding Salesforce Sandbox from the gallery
- Configuring and testing Azure AD single sign-on
Adding Salesforce Sandbox from the gallery
To configure the integration of Salesforce Sandbox into Azure AD, you need to add Salesforce Sandbox from the gallery to your list of managed SaaS apps.
To add Salesforce Sandbox from the gallery, perform the following steps:
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise applications. Then go to All applications.
To add new application, click New application button on the top of dialog.
In the search box, type Salesforce Sandbox, select Salesforce Sandbox from result panel then click Add button to add the application.
Configure and test Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with Salesforce Sandbox based on a test user called "Britta Simon".
For single sign-on to work, Azure AD needs to know what the counterpart user in Salesforce Sandbox is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Salesforce Sandbox needs to be established.
In Salesforce Sandbox, assign the value of the user name in Azure AD as the value of the Username to establish the link relationship.
To configure and test Azure AD single sign-on with Salesforce Sandbox, you need to complete the following building blocks:
- Configure Azure AD Single Sign-On - to enable your users to use this feature.
- Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
- Create a Salesforce Sandbox test user - to have a counterpart of Britta Simon in Salesforce Sandbox that is linked to the Azure AD representation of user.
- Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
- Test single sign-on - to verify whether the configuration works.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Salesforce Sandbox application.
To configure Azure AD single sign-on with Salesforce Sandbox, perform the following steps:
In the Azure portal, on the Salesforce Sandbox application integration page, click Single sign-on.
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
On the Salesforce Sandbox Domain and URLs section, perform the following steps:
a. In the Sign-on URL textbox, type the value using the following pattern:
b. In the Identifier textbox, type the value using the following pattern:
These values are not real. Update these values with the actual Sign-on URL and Identifier. Contact Salesforce Client support team to get these values.
On the SAML Signing Certificate section, click Certificate and then save the certificate file on your computer.
Click Save button.
On the Salesforce Sandbox Configuration section, click Configure Salesforce Sandbox to open Configure sign-on window. Copy the SAML Entity ID and SAML Single Sign-On Service URL from the Quick Reference section.
Open a new tab in your browser and log in to your Salesforce Sandbox administrator account.
Click on the Setup under settings icon on the top right corner of the page.
Scroll down to the SETTINGS in the navigation pane, click Identity to expand the related section. Then click Single Sign-On Settings.
Select SAML Enabled, and then click Save.
To configure your SAML single sign-on settings, click New.
On the SAML Single Sign-On Settings section, perform the following steps:
a. In the Name textbox, type the name of the configuration (for example: SPSSOWAAD_Test).
b. In the Issuer field, paste the value of SAML Entity ID, which you have copied from Azure portal
c. In the Entity Id textbox, type
https://<instancename>--Sandbox.<entityid>.my.salesforce.comif it is the first Salesforce Sandbox instance that you are adding to your directory. If you have already added an instance of Salesforce Sandbox, then for the Entity ID type in the Sign On URL, which should be in this format:
d. To upload the Identity Provider Certificate, click Choose File to browse and select the certificate file, which you have downloaded from Azure portal.
e. As SAML Identity Type, choose one of the following options:
Select Assertion contains the User's Salesforce username, if user's Salesforce Username is being passed in SAML assertion
Select Assertion contains the Federation ID from the User object, if Federation ID from the User object is being passed in SAML assertion
Select Assertion contains the Use ID from the User object, if User ID from the User object is being passed in SAML assertion
f. As SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement.
g. As Service Provider Initiated Request Binding, select HTTP POST.
h. In Identity Provider Login URL textbox, paste the value of Single Sign-On Service URL, which you have copied from Azure portal.
i. SFDC does not support SAML logout. As a workaround, paste
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0it into the Identity Provider Logout URL textbox.
j. Click Save.
Enable your domain
This section assumes that you already have created a domain. For more information, see Defining Your Domain Name.
To enable your domain, perform the following steps:
On the left navigation pane in Salesforce, click Company Settings to expand the related section, and then click My Domain.
Please make sure that your domain has been configured correctly.
In the Authentication Configuration section, click Edit, then, as Authentication Service, select the name of the SAML Single Sign-On Setting from the previous section, and finally click Save.
As soon as you have a domain configured, your users should use the domain URL to login to the Salesforce sandbox.
To get the value of the URL, click the SSO profile you have created in the previous section.
You can now read a concise version of these instructions inside the Azure portal, while you are setting up the app! After adding this app from the Active Directory > Enterprise Applications section, simply click the Single Sign-On tab and access the embedded documentation through the Configuration section at the bottom. You can read more about the embedded documentation feature here: Azure AD embedded documentation
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
To create a test user in Azure AD, perform the following steps:
In the Azure portal, in the left pane, click the Azure Active Directory button.
To display the list of users, go to Users and groups, and then click All users.
To open the User dialog box, click Add at the top of the All Users dialog box.
In the User dialog box, perform the following steps:
a. In the Name box, type BrittaSimon.
b. In the User name box, type the email address of user Britta Simon.
c. Select the Show Password check box, and then write down the value that's displayed in the Password box.
d. Click Create.
Create a Salesforce Sandbox test user
In this section, a user called Britta Simon is created in Salesforce Sandbox. Salesforce Sandbox supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Salesforce Sandbox, a new one is created when you attempt to access Salesforce Sandbox.
Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting access to Salesforce Sandbox.
To assign Britta Simon to Salesforce Sandbox, perform the following steps:
In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
In the applications list, select Salesforce Sandbox.
In the menu on the left, click Users and groups.
Click Add button. Then select Users and groups on Add Assignment dialog.
On Users and groups dialog, select Britta Simon in the Users list.
Click Select button on Users and groups dialog.
Click Assign button on Add Assignment dialog.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Salesforce Sandbox tile in the Access Panel, you should get automatically signed-on to your Salesforce Sandbox application. For more information about the Access Panel, see Introduction to the Access Panel.