Salesforce: Single sign-on (SSO) and Provisioning Configuration for Azure

How to set up SAML of Salesforce and Azure

Table of Contents


Add Salesforce from the Azure portal

Back to top


You must be the Azure Global Admin user to complete these steps.



You can add Salesforce from the gallery.

  1. In the Azure portal, on the left navigation panel, click the Azure Active Directory icon.

  2. Navigate to Enterprise applications. Then make sure you're in All applications

  3. Click New application button on the top of the menu.

  4. In the search box, type Salesforce, select Salesforce from result panel. Name the app anything you'd like. We recommend either naming it the same as your intranet or keeping it Salesforce. This will help avoid confusion later. Click Create.


    You can change the name of the app later on in the Properties menu.


Configure Azure SSO with Salesforce


Back to top



To configure Azure AD single sign-on with Salesforce:


  1. From the Salesforce application integration page, click Set up single sign on.
  2. Choose SAML.
  3. Where you see Basic SAML Configuration, click Edit.

  4. From the next screen, you'll need to enter in the Identifier (Entity ID) field, Reply URL field, and Sign on URL field, enter your Salesforce URL. There are also optional fields you can fill in.
  5. When finished, click Save at the top.
  6. Navigate back to the Single Sign-On page. You should see your settings you just added. If you don't, refresh the page. 
  7. Edit the second option, Attributes & Claims
  8. Edit the Unique User Identifier by clicking in and switching the format from Email Address to Unspecified.
  9. Change the source attribute from user.userprincipalname to user.objectid.

  10. Click Save at the top.
  11. Leave all other claims as is and go back to the Single sign on page.
  12. In the third option, SAML Signing Certificate, download the Federation Metadata XML file.

  13. Save this file to your computer. You'll need it later.

Configuring Salesforce for single sign-on 

Back to top


If you have not yet done so, create a Salesforce service account when connecting your Azure SSO on the Salesforce side. This article will explain more about what a service account is and why it's important to create one, but essentially, a service account is not tied to one single user's email address. So if the admin/user leaves the company, the service account will still be up and running.
Note, if you change this service account's password, you'll need to add the new password to the Provisioning settings again. We recommend keeping this password static.
  1. Open a new tab in your browser and log in to your Salesforce Administrator service account. In the menu on the top, click Setup
  2. In the Quick Find box, type Single and choose Single Sign-On Settings.

From the Single Sign-On Settings section, perform the following steps:

  1. Select Edit, then check the boxes for  SAML Enabled and Make Federation ID case-insensitive. Click Save.
  2. Click New from Metadata File.
  3. Upload the XML file you saved in the steps above. Then click Create. Once created, you'll see a screen similar to the one below.
  4. You can change the name as per your org's requirements if you want. This won't impact anything. Scroll down to SAML Identity Type and select Assertion contains the Federation ID from the User Object.
  5. Change the Service Provider Initiated Request Binding from HTTP Redirect to HTTP Post and click Save.
  6. In the Quick Find box on the left hand side of the screen, type My Domain and click.
  7. Scroll down until you see Authentication Configuration and click Edit
  8. In the Authentication Service section, set it to sts. Then click Save.
  9. Now we need to configure user provisioning in Azure.

Enable automated user provisioning

Back to top

Configure automatic user account provisioning 

The objective of this section is to outline how to enable user provisioning of Active Directory user accounts to Salesforce. 

  1. As the Azure global admin user, in the Azure portal, browse to the Azure Active Directory > Enterprise Apps > All applications section. If you've already configured Salesforce for single sign-on, search for your instance of Salesforce using the search field. 
  2. Select your instance, then select the Provisioning tab. 
  3. Set the Provisioning Mode to Automatic.
  4. Under the Admin Credentials section, provide the following configuration settings: 

    • In the Admin Username text box, type a Salesforce account username name that has the System Administrator profile in assigned. We recommend having this be your Salesforce service account

    • In the Admin Password text box, type the password for this account.

    • To get your Salesforce security token, open a new tab and sign in to the same Salesforce admin account. On the top right corner of the page, click your name, then click My Settings.

      • On the left navigation pane, click My Personal Information to expand the related section, then click Reset My Security Token.


        If you don't see this option, go to Profiles from the Setup menu, find the System Administrator profile and click Del next to Login IP Ranges.

      • On the Reset My Security Token page, click Reset Security Token.
  5. Check the email inbox associated with this admin account. Look for an email from Salesforce that contains the new security token. 

  6. Copy the token, go to your Azure AD window, and paste it into the Secret Token field. 

  7. In the Tenant URL field, paste your Salesforce URL: https://<domainname>
  8. In the Azure portal, click Test Connection to ensure Azure AD can connect to your Salesforce app. Once verified, click Save.

  9. In the Notification Email field, enter the email address of a person or group who should receive provisioning error notifications, and check the checkbox. Click Save.

Running a user provisioning log

For detailed instructions on running a user provisioning log from Azure, check out this article from Microsoft's Help Center!

User mapping

Back to top



Source attributes come from Azure. Target attributes are from Salesforce/Simpplr. When mapping, you'll need to know both the Source and Target attributes. You can edit your Attribute list for Salesforce by going to Show advanced options at the bottom of the Attribute Mapping page.
  1. From the same screen, Under the Mappings section, select Provision Azure Active Directory Users

  2. In the Attribute Mappings section, scroll down and click userPrincipalName. This should open a module that allows you to change your mapping.

  3. In the module, change the Mapping type from Direct to Expression
  4. Replace the Expression box text with Append([userPrincipalName], ".simpplr")
  5. Change the Matching Precedence from 1 to 2. 
  6. Click Ok.
  7. Scroll down to the Attribute list and click Add New Mapping.
  8. On the next page, the Mapping type can stay Direct. Change the fields to match the below:
    • Source attribute: objectid
    • Target attribute: FederationIdentifier
    • Match Object using this Attribute: Yes
    • Matching Precedence: 1
  9. Once complete, click Ok.
  10. Once again, click the Append([userPrincipalName], ".simpplr") attribute. Change the property Match objects using this attribute from Yes to No. Click Ok.
  11. If needed, you can add more attributes like Title, Department, Manager, etc. To do so, click Add New Mapping and change the Source Attribute and Target Attribute. If you'd like to map user time zones, set the Mapping type to None, and label the Target attribute as TimeZoneSidKey. Set your Default value if null field as the appropriate time zone. Use this Supported Time Zones doc to add accordingly. Use the values highlighted in the image below.
  12. When finished, click Save at the top of the Attribute Mapping page.
  13. Navigate back to Home window. Follow the path back to your Salesforce application and choose Provisioning. then click Edit Provisioning.
  14. If needed, choose an email to send failures to when mapping. This field is optional. The Scope should be set to Sync only assigned users and groups. Ensure this option is chosen. The other option will sync everything from Azure to Salesforce. We DO NOT want this.
  15. To enable Azure AD provisioning, change the Provisioning Status to On.
  16. Click Save. The sync will run every 40 minutes. When adding users, it's good practice to allow an hour-long buffer before you see changes put in place.


    If you'd like to provision a single user at any time, you can choose Provision on demand from the Provisioning window.

Mapping Joining Date and/or Hire Date in Azure Active Directory

We need to take a few extra steps to map a user birthday and/or hire date in Azure. Follow the instructions below to learn how.

  1. The first step is to create a custom field in Salesforce. Label your fields as Joining_Date and Birth_Date respectively. The data field for both of these should be Date.

Use custom attribute in on-premise AD

    • Use existing msDS-cloudExtensionAttribute1
    • Map/Fill the Birthdate for all the users. Click Save.
    • We need to use another existing attribute msDS-cloudExtensionAttribute2 for HireDate
      as well. Click Save.
    • Add the date in the format YYYY-MM-DD only.

Azure AD Connect sync: Directory extensions

    • You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own attributes from on-premises Active Directory.
    • Open Microsoft Azure Active Directory connect utility.
    • You configure which additional attributes you want to synchronize in the custom
      settings path in the installation wizard.
    • The Available Attributes box is case-sensitive.
    • Click Next to save the configuration.

Make changes on the Azure portal

  1. In the Azure portal, on the left navigation panel, click the Azure Active Directory icon.
  2. Navigate to Enterprise applications. Then go to All applications.
  3. Search for the Salesforce application for which you have configured SSO and provisioning.
  4. Navigate to Provisioning and scroll down.
  5. Look for Mappings and click Synchronize Azure Active Directory Users to
  6. Another window will open. Scroll down and click Show advanced options.
  7. Click Edit attribute list for, and another window will open on the
    right side.
  8. Scroll down and type in the box as shown below. Birth_Date__c
  9. Click Add Attribute.
  10. Do this for Joining Date attribute as well; Joining_Date__c.
  11. Click Add Attribute again.
  12. On the top of the page, click Save.
  13. We need to add this attribute to the AD custom attribute.
  14. From the previous page click Attribute Mapping, scroll down and click Add
    New Mapping.
  15. Select the source attribute as Extension attribute, which we are syncing for Birth Date or
    Joining Date from on premise Active Directory.
  16. Select the Target attribute as Birth_Date__c and click Okay.
  17. Do the same for Joining_Date__c.
  18. Click Save on the Attribute Mapping page.

Finally, head back to your Simpplr environment and go to Manage > Application > People > User syncing. Scroll down to the Hire date field and check the box. Then click Save. The mapping could take up to 24 hours to reflect.

Create groups for Simpplr permissions

Back to top

After the initial sync has run, create two groups in Azure or in Premise AD (if you are syncing users from Azure Active Directory > Groups > New group. These groups must be security groups. Security groups can be assigned groups or dynamic groups. If your org is using On-Premise AD, you can sync groups from there. Group creation depends how org infrastructure is setup or you wan to setup the groups. 

Give the groups names similar to Simpplr_Admin and Simpplr_Users. These are required to control user access.


  1. Go to Users and groups in the side panel.

  2. Click Add User and search for the group we created above, such as Simpplr Admin.
  3. Click Select Role (Role in Azure is Profile in Salesforce). Select System Administrator and then Assign.

  4. Repeat the same steps for the role Simpplr User group as well. For the Role selection, be sure to choose Simpplr User.

  5. Any user added to the group will get access to the application. If removed, the user will become inactive.

Make changes on the Azure portal


  1. In the Azure portal on the left navigation panel, click Azure Active Directory icon.
  2. Navigate to Enterprise applications. Then go to All applications.
  3. Search for your Salesforce application where you've configured SSO and Provisioning.
  4. Navigate to Provisioning and scroll down.
  5. Look for Mapping and click Synchronize Azure Active Directory Users to
  6. From the new window, scroll down and click the checkbox next to Show advanced options. Then click Edit attribute list for
  7. Scroll down and type the new field into the box; for example, Birth_Date__c. Choose String from the dropdown list. Click Add Attribute, then click Save.
  8. Now add this attribute to the AD custom attribute list. From the previous screen, click Attribute Mapping and scroll down until you see Add New Mapping. Click it.
  9. Select the source attribute as Extension Attribute. You'll sync this for the Hire Date or Birthday field from the On-Premise AD.
  10. Select the target attribute as Birth_Date__c and click Okay. Do the same for any other fields you create such as Joining_Date__c.
  11. Click Save on the Attribute Mapping page.

Make the changes in Simpplr

  1. Log in to Simpplr as a System admin.
  2. Click your user profile image and navigate to Manage application > People > User syncing.
  3. Check the boxes next to Hire Date, Birthday, or any other fields you've set up in AD. Then click Save. The sync will typically take up to 24 hours before you can see the changes for End users. 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Articles in this section