Export (0) Print
Expand All

Tutorial: Azure AD integration with Salesforce

Published: July 8, 2013

Updated: April 15, 2014

Applies To: Azure

TipTip
For feedback, click here.

For more information about this topic, see Best Practices for Managing the Application access enhancements for Windows Azure Active Directory.

The objective of this tutorial is to show the integration of Windows Azure and Salesforce. The scenario outlined in this tutorial assumes that you already have the following items:

  • A valid Windows Azure subscription

  • A test tenant in Salesforce.com

If you don’t have a valid tenant in Salesforce.com yet, you can, for example, sign up for a trial account at the developerforce web site, which has the Salesforce API that is required to configure the integration enabled.

ImportantImportant
To complete the scenario outlined in this tutorial with a trial account, you can only use trial accounts obtained from the developerforce web site.

All trial accounts obtained from the www.salesforce.com website do not enable the APIs required for integration with Windows Azure AD until they are purchased.

The scenario outlined in this tutorial consists of the following building blocks:

  1. Enabling the application integration for Salesforce

  2. Configuring user provisioning

  3. Configuring single sign-on

The objective of this section is to outline how to enable the application integration for Salesforce.

  1. In the Windows Azure Management Portal, on the left navigation pane, click Active Directory.

    Active Directory
  2. From the Directory list, select the directory for which you want to enable directory integration.

  3. To open the applications view, in the directory view, click Applications in the top menu.

    Applications
  4. To open the Application Gallery, click Add An App, and then click Add an application for my organization to use.

    What do you want to do?
  5. In the search box, type Salesforce.

    Application Gallery
  6. In the results pane, select Salesforce, and then click Complete to add the application.

    Salesforce

The objective of this section is to outline how to enable user provisioning of Active Directory user accounts to Salesforce.
As part of this procedure, you are required to provide a user security token you need to request from Salesforce.com.

The following screenshot shows an example of the related dialog in Windows Azure AD:

Configure User Provisioning

  1. In the Salesforce portal, in the top navigation bar, select your name to expand your user menu:

    My Settings
  2. From your user menu, select My Settings to open your My Settings page.

  3. In the left pane, click Personal to expand the Personal section, and then click Reset My Security Token:

    My Settings
  4. On the Reset My Security Token page, click Reset Security Token to request an email that contains your Salesforce.com security token.

    New Token
  5. Check your email inbox for an email from Salesforce.com with “salesforce.com.com security confirmation” as subject.

  6. Review this email and copy the security token value.

  7. In the Windows Azure Management Portal, on the salesforce application integration page, click Configure user provisioning to open the Configure User Provisioning dialog.

  8. On the Enter your Salesforce credentials to enable automatic user provisioning page, provide the following configuration settings:

    1. In the Salesforce Admin User Name textbox, type a Salesforce account name that has the System Administrator profile in Salesforce.com assigned.

    2. In the Salesforce Admin Password textbox, type the password for this account.

    3. In the User Security Token textbox, paste the security token value.

    4. Click validate to verify your configuration.

      Successfully verified credentials
    5. Click the Next button to open the Confirmation page.

  9. On the Confirmation page, click the checkmark to save your configuration.

You can now create a test account, wait for 10 minutes and verify that the account has been synchronized to Salesforce.com.

The objective of this section is to outline how to enable users to authenticate to Salesforce with their account in Windows Azure AD using federation based on the SAML protocol.
As part of this procedure, you are required to upload a certificate to Salesforce.com.

The following screenshot shows an example of the related dialog in Windows Azure AD:

Configure Single Sign-On

  1. Login to your Salesforce tenant.

  2. In the navigation pane on the left side of the page, click Company Profile to expand this section, and the click Company Information.

    Company Information
  3. On the Company Information page, copy the value for the Salesforce.com Organization ID.

    Company Information
  4. In the Windows Azure AD portal, on the salesforce application integration page, click Configure single sign-on to open the Configure Single Sign On dialog.

  5. On the Select the single sign-on mode for this app page, select Users authenticate with their account in Windows Azure AD, and then click Next.

    Configure Single Sign On
  6. On the Configure SAML Federation configuration page, in the Salesforce Organization ID textbox, paste the value of the Salesforce.com Organization ID, and then click Next.

  7. On the Configure single sign-on at Salesforce page, to download your certificate, click Download certificate, and then save the certificate file locally as c:\salesforce.cer.

    Configure Single Sign-On
  8. On your Salesforce tenant, in the Administer section, click Security Controls to expand the related section.

  9. Click Single Sign-On Settings to open the Single Sign-On Settings page.

    Administer
  10. Click Edit

    Single Sign-On Settings
  11. Select SAML Enabled, and then click Save.

    SAML Enabled
  12. To configure your SAML single sign-on settings, click New:

    SAML Single Sign-On Settings
  13. On the SAML Single Sign-On Setting Edit page, perform the following steps:

    SAML Single Sign-On Setting
    1. In the Name textbox, type your SSO setting name, for example, the name of your company.
      Providing a value for Name does automatically populate the API Name textbox.

      noteNote
      For more details about the API Name field, see the help by clicking the icon next to the textbox.

    2. In the Issuer textbox, type k2o9vydyKHEZWTAJYVCH.

    3. In the Entity Id textbox, type https://saml.salesforce.com.

    4. Select Assertion contains User's salesforce.com username as SAML Identity Type

    5. Select Identity is in the NameIdentifier element of the Subject statement as SAML Identity Location.

    6. Click Browse to open the Choose File to Upload dialog, select your Salesforce certificate, and then click Open to upload the certificate.

    7. Click Save to apply your SAML single sign-on settings.

      noteNote
      There is no need to provide values for the Identity Provider Login URL, the Identity Provider Logout URL and the Identity Provider Logout URL.

  14. On the SAML Single Sign-On Setting, verify that the values of the Salesforce Login URL and the OAuth 2.0 Token Endpoint parameters match your Organization ID.

    SAML Single Sign-On Setting
  15. In the Windows Azure AD portal, on the Configure single sign-on at Salesforce page, click Complete to finish the single sign-on configuration.

You can now go to the Access Panel and test single sign-on to Salesforce.

TipTip
To avoid running into latency issues, you should wait for 10 minutes before testing single sign-on.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft