Azure Active Directory SSO Integration with Salesforce

This article goes through the steps to integrate Microsoft Entra ID (formerly Azure AD) identity with Salesforce.com, enabling end users with SSO and IT better control of corporate identities. This article goes through the integration step by step, outlines the issues, and how to overcome them.

  1. Log into Portal.Azure.com and go to Microsoft Entra ID (formerly Azure AD) > Enterprise Application.
  2. Add Salesforce app (Pick Salesforce even if you are doing a Sandbox integration, I noticed a bug with the Sandbox app).
  3. Give the Salesforce app a name of your choosing and then click Add.
  4. Then select the Single Sign-on settings and click the SAML Method.
  5. Log into your Salesforce tenant and go to Settings > Company Settings > My Domain and select and then copy the text following “Your domain name is”.
  6. Then from your Azure portal edit the SAML settings.
  7. The Sign on URL and the Identifier will both be the text you copied from the Salesforce portal in step 5 with an https:// prefix.
  8. Download the Federation Metadata XML.
  9. Go back to your Salesforce portal. Navigate to the Identity > Single Sign-On Settings
  10. Make sure SAML has been enabled.
  11. Upload the file from Step 8 and Click save (The Name field can be changed to something better like Azure instead of sts).
  12. Go to Settings > My domain and Edit the Authentication Configuration and select “sts” or whatever you named the SSO method from Step 11.
  13. Pick a test user from the Administer > Users section and make sure the Federation ID matches the user named used when authenticating to Office 365.
  14. Go back to the Azure portal and add the user from step 13 to the Salesforce group.
  15. Test the Salesforce integration by clicking the “Test” button at the bottom of the screen.
  16. Select the “Or login using the “sts”” button or whatever you called the SSO method in Step 11.
  17. I received the next error when using Internet Explorer.
  18. This issue was resolved when using Chrome in non-incognito mode.
  19. I then tested using the Salesforce sign in URL and received the below error.
  20. I was able to resolve this by going to Security Controls > Single Sign-On Settings and changing the SAML Identity Type to “Assertion contains the Federation ID from the User object”.
  21. After changes are made you should be able to successfully sign in.

 

 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Last updated on August 3rd, 2023 at 01:51 pm