This tutorial will show you how to connect your Salesforce environment to your Azure Active Directory. You will learn how to configure single sign-on to Salesforce, how to enable automated user provisioning, and how to assign users to have access to Salesforce.
- To access Azure Active Directory through the Azure classic portal, you must first have a valid Azure subscription.
- You must have a valid tenant in Salesforce.com.
If you are using a Salesforce.com trial account, then you will be unable to configure automated user provisioning. Trial accounts do not have the necessary API access enabled until they are purchased.
You can get around this limitation by using a free developer account to complete this tutorial.
If you are using a Salesforce Sandbox environment, please see the Salesforce Sandbox integration tutorial.
You may follow this tutorial using the videos below.
Video Tutorial Part One: How to Enable Single Sign-On
Video Tutorial Part Two: How to Automate User Provisioning
Step 1: Add Salesforce to your directory
In the Azure classic portal, on the left navigation pane, click Active Directory.
- From the Directory list, select the directory that you would like to add Salesforce to.
Click on Applications in the top menu.
Click Add at the bottom of the page.
On the What do you want to do dialog, click Add an application from the gallery.
In the search box, type Salesforce. Then select Salesforce from the results, and click Complete to add the application.
You should now see the Quick Start page for Salesforce:
Step 2: Enable single sign-on
- Before you can configure single sign-on, you must set up and deploy a custom domain for your Salesforce environment. For instructions on how to do that, see Set Up a Domain Name.
On Salesforce's Quick Start page in Azure AD, click the Configure single sign-on button.
A dialog will open and you'll see a screen that asks "How would you like users to sign on to Salesforce?" Select Azure AD Single Sign-On, and then click Next.
To learn more about about the different single sign-on options, click here
On the Configure App Settings page, fill out the Sign On URL by typing in your Salesforce domain URL using the following format:
- Enterprise account:
- Enterprise account:
On the Configure single sign-on at Salesforce page, click on Download certificate, and then save the certificate file locally on your computer.
- Open a new tab in your browser and log in to your Salesforce administrator account.
Under the Administrator navigation pane, click Security Controls to expand the related section. Then click on Single Sign-On Settings.
On the Single Sign-On Settings page, click the Edit button.
If you are unable to enable Single Sign-On settings for your Salesforce account, you may need to contact Salesforce's support in order to have the feature enabled for you.
Select SAML Enabled, and then click Save.
To configure your SAML single sign-on settings, click New.
On the SAML Single Sign-On Setting Edit page, make the following configurations:
- For the Name field, type in a friendly name for this configuration. Providing a value for Name automatically populate the API Name textbox.
- In Azure AD, copy the Issuer URL value, and then paste it into the Issuer field in Salesforce.
In the Entity Id textbox, type your Salesforce domain name using the following pattern:
- Enterprise account:
- Developer account:
- Enterprise account:
- Click Browse or Choose File to open the Choose File to Upload dialog, select your Salesforce certificate, and then click Open to upload the certificate.
- For SAML Identity Type, select Assertion contains User's salesforce.com username.
- For SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement
- In Azure AD, copy the Remote Login URL value, and then paste it into the Identity Provider Login URL field in Salesforce.
- For Service Provider Initiated Request Binding, select HTTP Redirect.
- Finally, click Save to apply your SAML single sign-on settings.
On the left navigation pane in Salesforce, click Domain Management to expand the related section, and then click My Domain.
Scroll down to the Authentication Configuration section, and click the Edit button.
In the Authentication Service section, select the friendly name of your SAML SSO configuration, and then click Save.
If more than one authentication service is selected, then when users attempt to initiate single sign-on to your Salesforce environment, they will be prompted to select which authentication service they would like to sign in with. If you don’t want this to happen, then you should leave all other authentication services unchecked.
In Azure AD, select the single sign-on configuration confirmation checkbox to enable the certificate that you uploaded to Salesforce. Then click Next.
On the final page of the dialog, type in an email address if you would like to receive email notifications for errors and warnings related to the maintenance of this single sign-on configuration.
- Click Complete to close the dialog. To test your configuration, see the section below titled Assign Users to Salesforce.
Step 3: Enable automated user provisioning
In the Azure AD Quick Start page for Salesforce, click on the Configure user provisioning button.
In the Configure user provisioning dialog, type in your Salesforce admin username and password.
If you are configuring a production environment, the best practice is to create a new admin account in Salesforce specifically for this step. This account must have the System Administrator profile assigned to it in Salesforce.
To get your Salesforce security token, open a new tab and sign into the same Salesforce admin account. On the top right corner of the page, click on your name, and then click on My Settings.
On the left navigation pane, click on Personal to expand the related section, and then click on Reset My Security Token.
On the Reset My Security Token page, click on the Reset Security Token button.
- Check the email inbox associated with this admin account. Look for an email from Salesforce.com that contains the new security token.
Copy the token, go to your Azure AD window, and paste it into the User Security Token field. Then click Next.
On the confirmation page, you can choose to receive email notifications for when provisioning failures occur. Click Complete to close the dialog.
Step 4: Assign users to Salesforce
- To test your configuration, start by creating a new test account in the directory.
On the Salesforce Quick Start page, click on the Assign Users button.
Select your test user, and click the Assign button at the bottom of the screen:
If you haven't enable automated user provisioning, then you'll see the following prompt to confirm:
If you have enabled automated user provisioning, then you'll see a prompt to define what type of Salesforce profile the user should have. Newly provisioned users should appear in your Salesforce environment after a few minutes.
If you are provisioning to a Salesforce developer environment, you will have a very limited number of licenses available for each profile. Therefore, it's best to provision users to the Chatter Free User profile, which has 4,999 licenses available.
- To test your single sign-on settings, open the Access Panel at https://myapps.microsoft.com, then sign into the test account, and click on Salesforce.