Salesforce SSO with Azure AD

Salesforce Single Sign-On (SSO) with Microsoft Entra ID

phil otieno's photo
phil otieno
·

4 min read

Introduction

Integrating Salesforce with Microsoft Entra ID offers a seamless, secure single sign-on (SSO) experience. This powerful integration eliminates the need for multiple logins, enhancing user productivity and reducing the risk of security breaches. With Microsoft Entra ID as the central identity provider, users can access Salesforce with a single set of credentials, simplifying the login process and improving overall user experience.

In this article, I will demonstrate how we configure Microsoft Azure Entra ID as an identity provider to authenticate access to Salesforce orgs.

Pre-requisite

To set up Salesforce SSO with Microsoft Entra ID using free tier resources, you'll need:

  • Salesforce Account: A free trial or Developer Edition account.

  • Microsoft Entra ID Tenant: A free tenant.

  • Global Administrator Role: In Microsoft Entra ID, configure SSO settings.

  • System Administrator Role: In Salesforce, to configure SSO settings.

Create a Salesforce account.

Visit the salesforce developer website ( https://developer.salesforce.com/ ).

Sign up for a free developer account.

Log in to your Salesforce org.

Create a Microsoft Entra ID Tenant

Go to the Microsoft Azure portal (https://portal.azure.com/)

Sign in using your existing Microsoft Account or create a new one if you have none.

When you sign up for an Azure account, you automatically create a free Microsoft Entra ID Tenant.

Besides creating a free Microdoft Entra ID tenant, you are automatically assigned the Global Administrator role. This role grants you full administrative privileges over your Azure tenant, including managing users, groups, and applications and configuring SSO settings.

Configure SSO settings in Microsoft Entra ID

While logged in to the Azure portal ;

1. Click the Microsoft Entra ID

  1. Click the Manage dropdown, then select Enterprise Applications

  2. Enter salesforce in the search box, give the app a name of choice, and click the Add button.

  3. On the Salesforce application page,

    • Click Set up single sign-on

    • Click on the SAML-based Sign-on tab under the Manage section Select SAML

  4. Select the edit icon in the Basic SAML configuration section

  1. Log into your Salesforce org, go to Settings then Setup

  2. In the Quick Find search box, search for My Domain, then click on it

  3. Copy MyDomain URL

  1. Back to Azure Portal, click the edit icon on the Basic SAML Configuration section.

  2. Paste the MyDomain URL into the following fields: Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and Sign-on URL.

  3. Download the Federation Metadata XML.

  4. Click the Edit button, and ensure SAML is enabled.

  5. Back to your Salesforce org, navigate to the Single Sign On settings

  6. Click “New from Metadata File “ to upload the Metadata XML file

  7. Change the name field value to a text of your choice

  8. Change the SAML Identity type to “Assertion Contains the Federation ID from the User object“and then save.

  9. In the next step, go to My Domain, within the Authenticated Configuration, and click the checkbox next to the newly added authentication service. Then, save.

Assign the Microsoft Entra Test User

Remember when you creatied a free Microdoft Entra ID tenant, you are automatically got assigned the Global Administrator role. So in the following step assign your user a role

  1. Browse to Identity > Applications > Enterprise applications > Salesforce.

  2. In the app's overview page, select Users and Groups.

  1. Select Add user/group, then select Users and Groups in the Add Assignment dialog.

    In the Users and Groups dialog, select your user from the Users list, then click the Select button at the bottom of the screen.

    1. If you expect a role to be assigned to the users, you can select it from the Select a role dropdown.(In this scenario click the system administrator role)

      If no role has been set up for this app, you see the "Default Access" role selected.

    2. In the Add Assignment dialog, click the Assign button.

Test your Microsoft Entra single sign-on configuration using the following options.

  • Click on Test this application. This will redirect you to the Salesforce Sign-on URL, where you can initiate the login flow.

  • Go directly to the Salesforce Sign-on URL and initiate the login flow.

  • Choose to log in using the SSO method you configured. Click the “Azure AD” button

  • Enter your password and you get logged into your Salesforce org

AzureSalesforceSSO - Single Sign-OnIAM,MFA,Access key ID,Secret access key