What is SSO?
SSO is an abbreviation of Single Sign-On. It is a method for granting access of multiple applications to users with singe login credentials. The third-party software is used in Integration with Salesforce. The SSO method is extremely helpful in authentication of multiple apps with same details. The third-party tool can be customized according to your organization.
Why should we use SSO?
SSO is an amazing tool that offers its users with security and convenience. Here are some advantages it provides
- The functionality to login using credentials of any Salesforce trusted third party.
- It eliminates the need for login for every application.
- Allows the users to move seamlessly between applications and Salesforce org without requiring repeated logins.
- It allows configuration of SSO depending on the use case so users can access the Salesforce org from a third-party application like a corporate portal.
- You can set up SSO and allow users to login in to another application using your Salesforce org.
- You can configure an SSO chain allowing uses to login to a third-party application to access Salesforce and use the access to login to another org.
- It allows you to configure a log in experience that is less centralized and users get to login to multiple apps using same credentials.
The article explains on how to setup SSO for Salesforce using already existing Azure AD setup.
Technical Design Diagram
Configuration of Azure AD
- Go to the menu in left bar and select the option of “Enterprise applications”
- Then click on the “New application” button with a plus sign on it.
- Go to the Add option in gallery and type “Salesforce” or “Salesforce sandbox”.
The name of the app name must be set according to the organization type and purpose. For example, if your organization is associated to production, you can name it Salesforce SSO. In case of a development relation org, you can name it as DEV1 SSO. Then, click on the add button that is placed at the bottom of the screen.
Add AD Users to newly created Application Group
Make sure that all the users that need to be enabled for Azure AD SSO, are existing in Azure AD. If they do not exist, then please create users in AD first.
- Navigate to the Microsoft Active Directory
- Choose properties from the application option in menu
- Then you need to scroll down and reach the page’s bottom. Click on No in User assignment required section. Save it. This option will enable all the azure users to access the application. If you want the privacy to be set as restricted you can select yes. You can utilize the groups and users for controlling access of the application.
Configuration of Application
Go to the application menu and select a single sign-on form. Click on the SAML card.
- You will see an edit pencil. Access it by clicking on it and you will get access to the Basic SAML configuration settings.
- The details you will find in text fields include Identifier (Entity ID) and Sign on URL. Both are required. The URL of required fields looks like https://Mydomain.my.salesforce.com
- To save the settings you must click on Save. By clicking on the cross button present on the top right will close the screen.
- Press the edit icon in the User Attributes & Claims section
- Press the edit icon that is present next to the Name identifier value.
- I prefer to use source attribute of user.mail, save changes and close the screen.
- There is a download link beside Certificate raw in the section labeled SAML Singing Certificate.
Configuration of Salesforce
- Sign in to the Salesforce, click on the Gear icon and the setup will open.
- Type single sign-on in the Quick Find and press enter.
- Enable SAML by clicking edit and save the changes.
- Or you can use SAML xml meta data file and upload in salesforces that will auto fill up the setting
- For the SAML Identity Type, the Assertion tab has Federation ID from the User object.
- Click on Save
- Type Users in in the Setup Quick Find.
- You can edit the Federated ID field of the user and add the Azure email address.
- Same steps can be used for all the users.
- Log in the salesforce.
- Log in the salesforce.
- Type My Domain in the Quick Find search and click on search.
- Go to the Authentication configuration and click on Edit. Check the name of the Identity provider and save the changes. You also have the option of deselecting the Login form if you are looking to only allow users with authentic corporate login to get access.
- Sign out from Salesforce or use an incognito Sign out of Salesforce window
- Write My Domain in the URL of the browser for example https://MyDomain.my.salesforce.com
- There is going to be an Azure AD button under the login form. By deselecting the login form on the Domain settings, you will only see the Azure button.
Process of Configuring automatic user account provisioning
- The purpose of the section is to highlight process of enabling the user in provisioning active directory user accounts in the Salesforce.
- Go to the Azure portal and browse Active Directory then click on Enterprise Apps and go to all applications section.
- If Salesforce for single sign-on is already configured then you can use the search field to look for instance of Salesforce. When not in Salesforce instance, add the icon and go to the application gallery and search for Salesforce. Choose Salesforce and add it to the applications list.
- Select the salesforce instance and provisioning tab.
- Give the following configuration settings user the section of Admin Credentials.
- a. Put the Salesforce Account name in the admin username box. The account you use must have an administrator profile assigned in the salesforce. com.
- b. Type the correct password in the textbox labeled Admin password.
- To get the security token, open another tab and sign-in the admin salesforce account. Your name will be visible in the top right corner and clicking on it will take you to the settings.
- On the left navigation pane there is an icon called My Personal Information. It will navigate you to the section of security token.
- Go to security token page and click on the Reset Security token.
- The new security token will be sent to the account associated with the admin ID.
- You can copy paste the token in the Secret token field of the Azure AD window.
- If the instance of salesforce is present on the salesforce government cloud, then you should enter the Tenant URL. If that is not the case you have the option of entering the tenant URL by using the following format; https://<your-instance>.my.salesforce.com,” replacing <your-instance> with the name of your Salesforce instance.
- Go to the Azure portal and clicking on the test Connection in the Azure Portal will ensure connection between Salesforce app and Azure AD.
- Enter the email address of an individual or a group in the field of notification email and they will receive notifications of provisioning errors and take a look at the checkbox.
- save the changes
- The option of Synchronized Azure Active Directory users is present under the mappings section.
- You can check out and review attributes of users in the attribute mapping section. The user attributes are synched from Azure AD to Salesforce. The matching attributes are used for matching accounts in salesforce to ensure updated operations. Do not forget to save the changes.
- To activate the provisioning of Azure AD you need to go to the Settings section and changing the status of provision to ‘ON’.
- Save the changes.
User should exist in Azure. Or User should be created in Azure AD first. It is assumed that licenses for both Azure AD and Salesforce are already in place.
Concerns & Issues
Configuring SSO can be complicated, and both the service providers should be well mapped in user entity. Requires two party license and hence not cost effective.