What is SSO?
SSO is an abbreviation of Single Sign-On. It is a method for granting access of multiple applications to users with a single login credential. The third-party software is used in Integration with Salesforce.
This method is beneficial in the authentication of various apps with the exact details. This third-party tool is customized according to your organization needs.
Why should we use SSO?
SSO is a fantastic tool that offers its users security and convenience. Here are some advantages it provides
- The functionality to login using credentials of any Salesforce trusted the third party.
- It eliminates the need for login for every application.
- Allows the users to move seamlessly between applications and Salesforce org without requiring repeated logins.
- It allows configuration of SSO depending on the use case so users can access the Salesforce org from a third-party application like a corporate portal.
- You can set up SSO and allow users to login into another application using your Salesforce org.
- You can configure an SSO chain allowing uses to login to a third-party application to access Salesforce and use the access to login to another org.
- It allows you to configure a less centralized login experience, and users can log in to multiple apps using the same credentials.
The article explains how to set up SSO for Salesforce using an already existing Azure AD setup.
Technical Design Diagram
Configuration of Azure AD
- Sign into Azure Active Directory site: https://aad.portal.azure.com
- Go to the menu in the left bar and select the option of “Enterprise applications.”
- Then click on the “New application” button with a plus sign on it.
- Go to the Add option in the gallery and type “Salesforce” or “Salesforce sandbox”.
From the options that appear, you need to select the relevant option according to your organization. After that, the “Salesforce Add App” option appears.
You must set up the app name according to the organization type and purpose. For example, if your organization is associated with production, you can name it Salesforce SSO. In the case of a development relation org, you can call it DEV1 SSO. Then, click on the add button located at the bottom of the screen.
Add AD Users to newly created Application Group.
Ensure that the users that need to be enabled for Azure AD SSO exist in Azure AD. If they do not exist, then please create users in AD first.
- Navigate to the Microsoft Active Directory
- Choose properties from the application option in the menu.
- Then you need to scroll down and reach the page’s bottom. Click on the No in the User assignment required section. Save it. This option will enable all azure users to access the application. If you want the privacy to be set as restricted, you can select yes. You can utilize the groups and users for controlling access to the application.
Configuration of Application
Go to the application menu and select a single sign-on form. Click on the SAML card.
- You will see an edit pencil. Access it by clicking on it, and you will get access to the Basic SAML configuration settings.
- The details you will find in text fields include Identifier (Entity ID) and Sign-on URL. Both are required. The URL of the required fields looks like https://mydomain.my.salesforce.com.
- To save the settings, you must click on Save. By clicking on the cross button present on the top right will close the screen.
- Press the edit icon in the User Attributes & Claims section
- Press the edit icon that is present next to the Name identifier value.
- I prefer to use the source attribute of user.mail, save changes and close the screen.
- There is a download link beside Certificate raw in the section labelled SAML Signing Certificate.
Configuration of Salesforce
- Sign in to the Salesforce, click on the Gear icon, and the setup will open.
- Type single sign-on in the Quick Find and press enter.
- Enable SAML by clicking edit and save the changes.
SA: Click on Choose File, upload the certification you got from the add issuer or Azure. Login URL and entity ID, and you will be able to find all the details on Azure as shown in the picture below
- Or you can use SAML XML metadata file and upload in salesforces that will auto-fill up the setting.
- For the SAML Identity Type, the Assertion tab has Federation ID from the User object.
- Click on Save
- Type Users in the Setup Quick Find.
- You can edit the Federated ID field of the user and add the Azure email address.
- Use the same steps for all the users.
- Log in to the salesforce.
- Log in to the salesforce.
- Type My Domain in the Quick Find search and click on search.
- Go to the Authentication configuration and click on Edit. Check the name of the Identity provider and save the changes. You also have the option of deselecting the Login form if you only want users with authentic corporate login to get access.
- Sign out from Salesforce or use an incognito Sign out of Salesforce window
- Write My Domain in the URL of the browser, for example, https://mydomain.my.salesforce.com.
- There is going to be an Azure AD button under the login form. By deselecting the login form on the Domain settings, you will only see the Azure button.
Process of Configuring automatic user account provisioning
- The purpose of the section is to highlight enabling the user inactive provisioning directory user accounts in Salesforce.
- Go to the Azure portal, browse Active Directory, click on Enterprise Apps, and go to all applications section.
- If Salesforce for single sign-on configured, you can use the search field to look for instances of Salesforce. When not in Salesforce instance, add the icon, go to the application gallery, and search for Salesforce. Choose Salesforce and add it to the applications list.
- Select the Salesforce instance and provisioning tab.
- Give the following configuration settings using the section of Admin Credentials.
- Put the Salesforce Account name in the admin username box. The account you use must have an administrator profile assigned in the salesforce. com.
- Type the correct password in the textbox labelled Admin password.
- To get the security token, open another tab and sign in to the admin salesforce account. Your name will be visible in the top right corner, and clicking on it will take you to the settings.
- On the left navigation pane, there is an icon called My Personal Information. It will navigate you to the section of a security token.
- Go to the security token page and click on the Reset Security Token.
- The new security token is sent to the account associated with the admin ID.
- You can copy-paste the token in the Secret token field of the Azure AD window.
- If the salesforce instance is present on the salesforce government cloud, you should enter the Tenant URL. If that is not the case, you have the option of entering the tenant URL by using the following format; https://<your-instance>.my.salesforce.com,” replacing <your-instance> with the name of your Salesforce instance.
- Go to the Azure portal, and clicking on the Test Connection in the Azure Portal will ensure the connection between the Salesforce app and Azure AD.
- Enter the email address of an individual or a group in the notification email field. They will receive notifications of provisioning errors and take a look at the checkbox.
- save the changes
- The option of Synchronized Azure Active Directory users is present under the mappings section.
- You can check out and review the attributes of users in the attribute mapping section. The user attributes are synched from Azure AD to Salesforce. The matching attributes are used for matching accounts in salesforce to ensure updated operations. Do not forget to save the changes.
- To activate the provisioning of Azure AD, you need to go to the Settings section and change the provisioning status to ‘ON’.
- Save the changes.
If the user exists in Azure, then a user should be created in Azure AD first. It is assumed that licenses for both Azure AD and Salesforce are already in place.
Concerns & Issues
Configuring SSO can be complicated, and both the service providers should be well mapped in the user entity. Requires a two-party license and hence not cost-effective.