In this session we talk about how to implement Azure Active Directory Seamless Single Sign-On with Salesforce. We also cover the delegated Authentication and Federated Authentication(SAML) SSO.
What is Azure Active Directory?
Azure Active Directory is Microsoft’s multi-tenant, cloud-based directory and identity management service. Let see how Azure Active Directory single sign-on (SSO) integration with Salesforce.
Different way to implement Single Sign-on in Salesforce
There are three mechanisms which can be used to achieve this in Salesforce.
- Delegated authentication
- Federated Authentication
- SP-Initiated SAML
- IDP-Initiated SAML
- OpenID Connect
Learn more about Single Sign on Between Two Salesforce Org.
IDP INITIATED FLOW
- User login into Identity Provider with the credentials
- User Click on the link for which org user want to access
- SAML Assertion is sent to salesforce server with Federation ID or Username OR custom attribute
SP INITIATED FLOW
User experience: – The most apparent benefit is that users can move between services securely and uninterrupted without specifying their credentials each time.
Security: – The users credentials are provided directly to the central SSO server, not the actual service that the user is trying to access, and therefore the credentials cannot be cached by the service.
Resource Saving: – IT administrators can save their time and resources by utilizing the central web access management service Application.
Prerequisites for Azure AD SSO
- An Azure AD subscription. Get a free account.
- Salesforce Org with SSO enabled.
Salesforce SSO with Azure Active Directory Video
Check below video for step by step process and a complete guide.
You can refer this guide for blog post.
Summary
Check Configure an Azure AD Authentication Provider for OpenId Connect flow.
Hi,
I am facing the salesforce SSO issue (with Azure) for few user as below:
Issue-1:
Last recorded SAML login failure: 2023-10-12T12:42:21.350Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Ok
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
The InResponseTo value is invalid or expired
7. Confirming Issuer matches
Issue-2:
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Timestamp of the response is outside of allowed time window
Current time is: 2023-10-12T12:40:49.464Z
Timestamp is: 2023-10-12T12:28:33.595Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2023-10-12T12:40:49.464Z
Timestamp is: 2023-10-12T12:28:33.592Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
The InResponseTo value is invalid or expired
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
11. Validating the Signature
Unknown
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and Organization ID, if provided
Not Provided
14. Checking if session security level is valid, if provided
Ok
Please help me to understand