Salesforce SSO with Azure Active Directory

In this session we talk about how to implement Azure Active Directory Seamless Single Sign-On with Salesforce. We also cover the delegated Authentication and Federated Authentication(SAML) SSO.

What is Azure Active Directory?

Azure Active Directory is Microsoft’s multi-tenant, cloud-based directory and identity management service. Let see how Azure Active Directory single sign-on (SSO) integration with Salesforce.

Different way to implement Single Sign-on in Salesforce

There are three mechanisms which can be used to achieve this in Salesforce.

  1. Delegated authentication
  2. Federated Authentication
    • SP-Initiated SAML
    • IDP-Initiated SAML
  3. OpenID Connect

Learn more about Single Sign on Between Two Salesforce Org.

IDP INITIATED FLOW

  • User login into Identity Provider with the credentials
  • User Click on the link for which org user want to access
  • SAML Assertion is sent to salesforce server with Federation ID or Username OR custom attribute

SP INITIATED FLOW

User experience: – The most apparent benefit is that users can move between services securely and uninterrupted without specifying their credentials each time.

Security: – The users credentials are provided directly to the central SSO server, not the actual service that the user is trying to access, and therefore the credentials cannot be cached by the service.

Resource Saving: – IT administrators can save their time and resources by utilizing the central web access management service  Application.

Prerequisites for Azure AD SSO

  • An Azure AD subscription. Get a free account.
  • Salesforce Org with SSO enabled.

Salesforce SSO with Azure Active Directory Video

Check below video for step by step process and a complete guide.

YouTube video

You can refer this guide for blog post.

Summary

Check Configure an Azure AD Authentication Provider for OpenId Connect flow.

Amit Chaudhary
Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates.

He is a active blogger and founder of Apex Hours.

Articles: 460

One comment

  1. Hi,

    I am facing the salesforce SSO issue (with Azure) for few user as below:

    Issue-1:

    Last recorded SAML login failure: 2023-10-12T12:42:21.350Z
    Unexpected Exceptions
    Ok
    1. Validating the Status
    Ok
    2. Looking for an Authentication Statement
    Ok
    3. Looking for a Conditions statement
    Ok
    4. Checking that the timestamps in the assertion are valid
    Ok
    5. Checking that the Attribute namespace matches, if provided
    Not Provided
    6. Miscellaneous format confirmations
    The InResponseTo value is invalid or expired
    7. Confirming Issuer matches

    Issue-2:

    Ok
    1. Validating the Status
    Ok
    2. Looking for an Authentication Statement
    Ok
    3. Looking for a Conditions statement
    Ok
    4. Checking that the timestamps in the assertion are valid
    Timestamp of the response is outside of allowed time window
    Current time is: 2023-10-12T12:40:49.464Z
    Timestamp is: 2023-10-12T12:28:33.595Z
    Allowed skew in milliseconds is 480000
    Timestamp of the assertion is outside of allowed time window
    Current time is: 2023-10-12T12:40:49.464Z
    Timestamp is: 2023-10-12T12:28:33.592Z
    Allowed skew in milliseconds is 480000
    5. Checking that the Attribute namespace matches, if provided
    Not Provided
    6. Miscellaneous format confirmations
    The InResponseTo value is invalid or expired
    7. Confirming Issuer matches
    Ok
    8. Confirming a Subject Confirmation was provided and contains valid timestamps
    Ok
    9. Checking that the Audience matches
    Ok
    10. Checking the Recipient
    Ok
    11. Validating the Signature
    Unknown
    Is the response signed? false
    Is the assertion signed? true
    Is the correct certificate supplied in the keyinfo? true
    12. Checking that the Site URL Attribute contains a valid site url, if provided
    Not Provided
    13. Looking for portal and Organization ID, if provided
    Not Provided
    14. Checking if session security level is valid, if provided
    Ok

    Please help me to understand

Leave a Reply

Your email address will not be published. Required fields are marked *