Setup JIT SSO in salesforce using AAD as IDP

        Configure Azure AD SSO

  1. Create an Azure AD subscription using link Free AAD Account
  2. Adding Salesforce from the gallery:
    • Click on Azure Active Directory service

    • On the left navigation pane, select the Enterprise Applications and then select All Applications.


    • To add new application, select New application. From the options that appear, you need to select the relevant option according to your organization. After that, click Create button
  3. Create an Azure AD test user:
    1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
    2. Select New user at the top of the screen. In the Name field, enter desired name. Select the Show password check box, and then write down the value that's displayed in the Password box. Click Create.
  4. Assign the Azure AD test user:
    1. In the Azure portal, select Enterprise Applications, and then select All applications
    2. In the Azure portal, select Enterprise Applications, and then select All applications
    3. In the app's overview page, find the Manage section and select Users and groups
    4. Click on Add user/group

    5. Select Add user, then select Users and groups in the Add Assignment dialog
    6. In the Users and groups dialog, select the created user from the Users list, then click the Select button at the bottom of the screen
    7. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
    8. In the Add Assignment dialog, click the Assign button.

    9. Follow these steps to enable Azure AD SSO in the Azure portal.

      1. In the Azure portal, on the Salesforce application integration page, find the Manage section and select single sign-on.

      2. On the Select a single sign-on method page, select SAML.

      3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.

        Edit Basic SAML Configuration

      4. On the Basic SAML Configuration section, enter the values for the following fields:

        a. In the Identifier textbox, type the value using the following pattern:

        Enterprise account: https://<subdomain>.my.salesforce.com

        Developer account: https://<subdomain>-dev-ed.my.salesforce.com

        b. In the Reply URL textbox, type the value using the following pattern:

        Enterprise account: https://<subdomain>.my.salesforce.com

        Developer account: https://<subdomain>-dev-ed.my.salesforce.com

        c. In the Sign-on URL textbox, type the value using the following pattern:

        Enterprise account: https://<subdomain>.my.salesforce.com

        Developer account: https://<subdomain>-dev-ed.my.salesforce.com

      5. The Salesforce application expects specific SAML assertions, which requires you to have specific attributes in your SAML token attributes configuration.

        If you still have issues with getting users provisioned with SAML JIT, refer Just-in-Time Provisioning Requirements and SAML Assertion Fields

      6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.The Certificate download link

      7. On the Set up Salesforce section, copy the appropriate URL(s) based on your requirement.Copy configuration URLs

      Configure Salesforce SSO

  1. Click on the Setup under settings icon on the top right corner of the page.

    Configure Single Sign-On settings icon

  2. Scroll down to the SETTINGS in the navigation pane, click Identity to expand the related section. Then click Single Sign-On Settings.

    Configure Single Sign-On Settings

  3. On the Single Sign-On Settings page, click the Edit button.

    Configure Single Sign-On Edit


  4. Select SAML Enabled, and then click Save.

    Configure Single Sign-On SAML Enabled

  5. To configure your SAML single sign-on settings, click New from Metadata File.

    Configure Single Sign-On New from Metadata File

  6. Click Choose File to upload the metadata XML file which you have downloaded from the Azure portal and click Create.

    Configure Single Sign-On Choose File

  7. On the SAML Single Sign-On Settings page, fields populate automatically, select the User Provisioning Enabled and select SAML Identity Type as Assertion contains the Federation ID from the User object. Click SaveConfigure Single Sign-On User Provisioning Enabled

  8. On the left navigation pane in Salesforce, click Company Settings to expand the related section, and then click My Domain.Configure Single Sign-On My Domain

  9. Scroll down to the Authentication Configuration section, and click the Edit button.

    Configure Single Sign-On Authentication Configuration

  10. In the Authentication Configuration section, Check the Login Page and AzureSSO as Authentication Service of your SAML SSO configuration, and then click Save.

    Configure Single Sign-On Authentication Service

Test SSO

In this section, you test your Azure AD single sign-on configuration with following options.

  • Click on Test this application in Azure portal. This will redirect to Salesforce Sign-on URL where you can initiate the login flow.

  • Go to Salesforce Sign-on URL directly and initiate the login flow from there.

  • You can use Microsoft My Apps. When you click the Salesforce tile in the My Apps portal, you should be automatically signed in to the Salesforce for which you set up the SSO.

 

Comments

Post a Comment