Salesforce: Single sign-on (SSO) configuration for Azure Active Directory

How to set up SAML of Salesforce and Azure Active Directory.

Table of Contents

 

To add Salesforce from the gallery: 

Back to top

  1. In the Azure portal, on the left navigation panel, click the Azure Active Directory icon.

  2. Navigate to Enterprise applications. Then go to All applications

  3. To add new application, click New application button on the top of the dialog.

  4. In the search box, type Salesforce, select Salesforce from result panel and click Add


azure_sso_1.png

Azure Active directory


azure_sso_2.png

Enterprise applications

 


azure_sso_3.png

Add a new application


azure_sso_4.png

Add Salesforce

 

To configure Azure AD single sign-on with Salesforce:

Back to top

  1. In the Azure portal, on the Salesforce application integration page, click Single sign-on.azure_sso_5.png
  2. On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable SSO.
  3. Edit the first option: Basic SAML Configuration.
    Azure_saml_1.jpg
  4. In all three required fields (the Identifier (Entiry ID) field, Reply URL field, and Sign on URL field), enter your Salesforce URL. It should appear like this: https://<subdomain>.my.salesforce.com
  5. When finished, click Save at the top.
  6. Navigate back to the Single Sign-On page.Azure_saml_2.jpg
  7. Edit the second option, User Attributes & Claims
  8. Edit the Name Identifier Value by switching the format from Email Address to Unspecified.
  9. Change the source attribute from user.userprincipalname to user.objectid.
    Azure_saml_3.jpg
  10. Click Save at the bottom.
  11. Leave all other claims as is and go back to the Single sing-On page.
  12. In the third option, SAML Signing Certificate, download the Federation Metadata XML file.
    Azure_saml_4.jpg
  13. Save this file to your computer. You'll need it later.

Configuring Salesforce for single sign-on 

Back to top

  1. Open a new tab in your browser and log in to your Salesforce Administrator account. In the menu on the top, click Setup
  2. In the navigation pane on the left, click Security Controls, then Single Sign-On Settings.
    Screen_Shot_2021-08-24_at_9.08.40_AM.png

 

From the Single Sign-On Settings section, perform the following steps:

  1. Select Edit, then SAML Enabled. Click Save.
    azure_sso_gif_1.gif
  2. Click New from Metadata File.
    Azure_saml_5.png
  3. Upload the XML file you saved in the steps above. then click Create. Once created, you'll see a screen similar to the one below.
    Azure_saml_6.jpg
  4. You can change the name as per your org's requirements if you want. then scroll down to SAML Identity Type and select Assertion contains the Federation ID from the User Object.
  5. Change the Service Provider Initiated Request Binding from HTTP Redirect to HTTP Post.
  6. Uncheck the Single Logout Enabled box if checked.
  7. Click Save
  8. In the Quick Find box on the left hand side of the screen, type My Domain and click.
    Azure_saml_7.png
  9. Scroll down until you see Authentication Configuration and click Edit
  10. In the Authentication Service section, set it to the SAML Single Sing-On you just created in the previous section. Then click Save.
    azure_saml_8.png
  11. Now we need to configure user provisioning in Azure.
 

Enable automated user provisioning

Back to top

Configure automatic user account provisioning 

The objective of this section is to outline how to enable user provisioning of Active Directory user accounts to Salesforce. 

  1. In the Azure portal, browse to the Azure Active Directory > Enterprise Apps > All applications section. If you've already configured Salesforce for single sign-on, search for your instance of Salesforce using the search field. 
  2. Select your instance, then select the Provisioning tab. 
  3. Set the Provisioning Mode to Automatic.
    azure_sso_.png
  4. Under the Admin Credentials section, provide the following configuration settings: 

  5. In the Admin Username text box, type a Salesforce account name that has the System Administrator profile in Salesforce.com assigned. 

  6. In the Admin Password text box, type the password for this account.

  7. To get your Salesforce security token, open a new tab and sign in to the same Salesforce admin account. On the top right corner of the page, click your name, then click Settings.
    azure_sso_11.png

  8. On the left navigation pane, click My Personal Information to expand the related section, then click Reset My Security Token.
    azure_sso_12.png
  9. On the Reset Security Token page, click the Reset Security Token button. azure_sso_13.png
  10. Check the email inbox associated with this admin account. Look for an email from Salesforce that contains the new security token. 

  11. Copy the token, go to your Azure AD window, and paste it into the Secret Token field. 

  12. In the Azure portal, click Test Connection to ensure Azure AD can connect to your Salesforce app.

  13. In the Notification Email field, enter the email address of a person or group who should receive provisioning error notifications, and check the checkbox. Click Save.

  14. Under the Mappings section, select Synchronize Azure Active Directory Users to salesforce.com. 

  15. In the Attribute Mappings section, scroll down and click Username. This should open a module that allows you to change you mapping.
    Azure_saml_9.jpg

  16. In the module, change the Mapping type from Direct to Expression
  17. Replace the Expression box text with Append([userPrincipalName], ".simp")
  18. Change the Matching Precedence from 1 to 2. Your result should look like the screenshot below.
    Azure_saml_10.jpg
  19. Click Ok.
  20. Scroll down to the Attribute list and click Add New Mapping.
    Azure_saml_11.jpg
  21. On the right hand side, change the fields to match the below:
    • Source Attribute: Objectid
    • Target Attribute: FederationIdentifier
    • Match Object using this Attribute: Yes
    • Matching Precedence: 1
      Azure_SAML_12.jpg
  22. Once complete, click Ok.
  23. Once again, click Username. Change the property Match objects using this attribute from Yes to No.
  24. Your completed attribute list should look similar to the screenshot below.
    Azure_saml_13.jpg
  25. If needed, you can add more attributes like Title, Department, Manager, etc. To do so, click Add New Mapping and change the Source Attribute and Target Attribute.
  26. When finished, click Save.
  27. Navigate back to the main Provisioning window.
  28. To enable Azure AD provisioning, change the Provisioning Status to On in Settings. The Scope will always be Sync only assigned users and groups.
    Azure_SAML_14.jpg
  29. Click Save. The sync will run every 40 minutes. 
  30. Create two groups in Azure or in Premise AD (if you are syncing users from Active Directory). Give the groups names similar to Simpplr_Admin and Simpplr_Users. These are required to control user access.

  31. Once groups are created, Add a group in the application.azure_sso_14.png

  32. Click Add user and search for the group we created above, like Simpplr Admin. azure_sso_15.png

  33. Click Select Role (Role in Azure is Profile in Salesforce). Select System Administrator and then assign. 

  34. Repeat the same steps for Simpplr User group as well. 

  35. Any user who is added to the group will get access to the application. If removed, the user will become inactive.

 

Mapping fields from Azure to Simpplr

Back to top

After user provisioning, you'll likely want to sync fields such as Joining date and Birthdays from Azure AD to Simpplr. Follow the steps below to do so.

Use the Custom attribute in the on-premise Active Directory

  1. Use the existing msDS-cloudExtensionAttribute1
  2. Map/Fill the Birthday for all active users. Click Save.
  3. Use another existing attribute msDS-cloudExtensionAttribute2 for HireDate
    as well. Click Save.
  4. Add the date in the format YYYY-MM-DD only.

Azure AD Connect sync: Directory extensions

  1. You can use directory extensions to extend the schema in Azure Active Directory with your own attributes from on-premises Active Directory.
  2. Open Microsoft Azure Active Directory connect utility.
  3. You configure which additional attributes you want to synchronize in the custom
    settings path in the installation wizard.
  4. The Available Attributes box is case-sensitive.
    ad_1.png
  5. Once the attributes are added, click Next, then Save.

Make changes on the Azure portal

  1. In the Azure portal on the left navigation panel, click Azure Active Directory icon.
  2. Navigate to Enterprise applications. Then go to All applications.
  3. Search for Salesforce application for which you have configured SSO and Provisioning.
  4. Navigate to Provisioning and scroll down.
  5. Look for Mapping and click Synchronize Azure Active Directory Users to Salesforce.com.
    ad_2.png
  6. From the new window, scroll down and click the checkbox next to Show advanced options. Then click Edit attribute list for salesforce.com.
    ad_3.png
  7. Scroll down and type the new field into the box. For example, Birth_Date__c and choose DateTime from the dropdown list. click Add Attribute, then click Save.
    ad_4.png
  8. Now add this attribute to the AD custom attribute list. From the previous screen, click Attribute Mapping and scroll down until you see Add New Mapping. Click it.
  9. Select the source attribute as Extension Attribute. you'll sync this for the Hire Date or Birthday field from the on-premise AD.
  10. Select the target attribute as Birth_Date__c and click Okay. Do the same for any other fields you create such as Joining_Date__c.
  11. Click Save on the Attribute Mapping page.

Make the changes in Simpplr

  1. Log in to Simpplr as a System admin.
  2. Click your user profile image and navigate to Manage application > People > User syncing.
    user_syncing.gif
  3. Check the boxes next to Hire Date, Birthday, or any other fields you've set up in AD. Then click Save. The sync will typically take up to 24 hours before you can see the changes for End users. 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more