In this tutorial, you learn how to integrate Salesforce with Azure Active Directory (Azure AD).
Integrating Salesforce with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Salesforce
- You can enable your users to automatically get signed-on to Salesforce (Single Sign-On) with their Azure AD accounts
- You can manage your accounts in one central location - the Azure portal
If you want to know more details about SaaS app integration with Azure AD, see what is application access and single sign-on with Azure Active Directory.
To configure Azure AD integration with Salesforce, you need the following items:
- An Azure AD subscription
- A Salesforce single-sign on enabled subscription
To test the steps in this tutorial, we do not recommend using a production environment.
To test the steps in this tutorial, you should follow these recommendations:
- Do not use your production environment, unless it is necessary.
- If you don't have an Azure AD trial environment, you can get a one-month trial here.
In this tutorial, you test Azure AD single sign-on in a test environment. The scenario outlined in this tutorial consists of two main building blocks:
- Adding Salesforce from the gallery
- Configuring and testing Azure AD single sign-on
Adding Salesforce from the gallery
To configure the integration of Salesforce into Azure AD, you need to add Salesforce from the gallery to your list of managed SaaS apps.
To add Salesforce from the gallery, perform the following steps:
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise applications. Then go to All applications.
Click New application button on the top of the dialog.
In the search box, type Salesforce.
In the results panel, select Salesforce, and then click Add button to add the application.
Configuring and testing Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with Salesforce based on a test user called "Britta Simon."
For single sign-on to work, Azure AD needs to know what the counterpart user in Salesforce is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Salesforce needs to be established.
This link relationship is established by assigning the value of the user name in Azure AD as the value of the Username in Salesforce.
To configure and test Azure AD single sign-on with Salesforce, you need to complete the following building blocks:
- Configuring Azure AD Single Sign-On - to enable your users to use this feature.
- Creating an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
- Creating a Salesforce test user - to have a counterpart of Britta Simon in Salesforce that is linked to the Azure AD representation of user.
- Assigning the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
- Testing Single Sign-On - to verify whether the configuration works.
Configuring Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Salesforce application.
To configure Azure AD single sign-on with Salesforce, perform the following steps:
In the Azure portal, on the Salesforce application integration page, click Single sign-on.
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
On the Salesforce Domain and URLs section, perform the following steps:
In the Sign-on URL textbox, type the value using the following pattern:
- Enterprise account:
These values are not the real. Update these values with the actual Sign-on URL. Contact Salesforce Client support team to get these values.
- Enterprise account:
On the SAML Signing Certificate section, click Certificate and then save the certificate file on your computer.
Click Save button.
On the Salesforce Configuration section, click Configure Salesforce to open Configure sign-on window. Copy the SAML Entity ID and SAML Single Sign-On Service URL from the Quick Reference section.
Open a new tab in your browser and log in to your Salesforce administrator account.
Under the Administrator navigation pane, click Security Controls to expand the related section. Then click Single Sign-On Settings.
On the Single Sign-On Settings page, click the Edit button.
If you are unable to enable Single Sign-On settings for your Salesforce account, you may need to contact Salesforce Client support team.
Select SAML Enabled, and then click Save.
To configure your SAML single sign-on settings, click New.
On the SAML Single Sign-On Setting Edit page, make the following configurations:
a. For the Name field, type in a friendly name for this configuration. Providing a value for Name automatically populate the API Name textbox.
b. Paste SMAL Entity ID value into the Issuer field in Salesforce.
c. In the Entity Id textbox, type your Salesforce domain name using the following pattern:
- Enterprise account:
- Developer account:
d. Click Browse or Choose File to open the Choose File to Upload dialog, select your Salesforce certificate, and then click Open to upload the certificate.
e. For SAML Identity Type, select Assertion contains User's salesforce.com username.
f. For SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement
g. Paste Single Sign-On Service URL into the Identity Provider Login URL field in Salesforce.
h. For Service Provider Initiated Request Binding, select HTTP Redirect.
i. Finally, click Save to apply your SAML single sign-on settings.
- Enterprise account:
On the left navigation pane in Salesforce, click Domain Management to expand the related section, and then click My Domain.
Scroll down to the Authentication Configuration section, and click the Edit button.
In the Authentication Service section, select the friendly name of your SAML SSO configuration, and then click Save.
If more than one authentication service is selected, users are prompted to select which authentication service they like to sign in with while initiating single sign-on to your Salesforce environment. If you don’t want it to happen, then you should leave all other authentication services unchecked.
You can now read a concise version of these instructions inside the Azure portal, while you are setting up the app! After adding this app from the Active Directory > Enterprise Applications section, simply click Single Sign-On tab and access the embedded documentation through the Configuration section at the bottom. You can read more about the embedded documentation feature here: Azure AD embedded documentation
Creating an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
To create a test user in Azure AD, perform the following steps:
On the left navigation pane in the Azure portal, click Azure Active Directory icon.
To display the list of users, Go to Users and groups and click All users.
At the top of the dialog, click Add to open the User dialog.
On the User dialog page, perform the following steps:
a. In the Name textbox, type BrittaSimon.
b. In the User name textbox, type the email address of BrittaSimon.
c. Select Show Password and write down the value of the Password.
d. Click Create.
Creating a Salesforce test user
In this section, a user called Britta Simon is created in Salesforce. Salesforce supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Salesforce, a new one is created when you attempt to access Salesforce.
Assigning the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting access to Salesforce.
To assign Britta Simon to Salesforce, perform the following steps:
In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
In the applications list, select Salesforce.
In the menu on the left, click Users and groups.
Click Add button. Then select Users and groups on Add Assignment dialog.
On Users and groups dialog, select Britta Simon in the Users list.
Click Select button on Users and groups dialog.
Click Assign button on Add Assignment dialog.
Testing single sign-on
To test your single sign-on settings, open the Access Panel at https://myapps.microsoft.com, then sign into the test account, and click Salesforce.