Export (0) Print
Expand All

Tutorial: Azure AD integration with Salesforce

Published: July 8, 2013

Updated: August 27, 2014

Applies To: Azure

For feedback, click here.

For more information about this topic, see Best Practices for Managing the Application access enhancements for Azure Active Directory.

The objective of this tutorial is to show the integration of Azure and Salesforce. The scenario outlined in this tutorial assumes that you already have the following items:

  • A valid Azure subscription

  • A test tenant in Salesforce.com

If you don’t have a valid tenant in Salesforce.com yet, you can, for example, sign up for a trial account at the developerforce web site, which has the Salesforce API that is required to configure the integration enabled.

To complete the scenario outlined in this tutorial with a trial account, you can only use trial accounts obtained from the developerforce web site.

All trial accounts obtained from the www.salesforce.com website do not enable the APIs required for integration with Azure AD until they are purchased.

The scenario outlined in this tutorial consists of the following building blocks:

  1. Enabling the application integration for Salesforce

  2. Configuring user provisioning

  3. Configuring single sign-on

The objective of this section is to outline how to enable the application integration for Salesforce.

  1. In the Azure Management Portal, on the left navigation pane, click Active Directory.

    Active Directory
  2. From the Directory list, select the directory for which you want to enable directory integration.

  3. To open the applications view, in the directory view, click Applications in the top menu.

  4. Click Add at the bottom of the page.

    Add application
  5. On the What do you want to do dialog, click Add an application from the gallery.

    Add an application from gallerry
  6. In the search box, type Salesforce.

    Application Gallery
  7. In the results pane, select Salesforce, and then click Complete to add the application.


The objective of this section is to outline how to enable user provisioning of Active Directory user accounts to Salesforce.
As part of this procedure, you are required to provide a user security token you need to request from Salesforce.com.

The following screenshot shows an example of the related dialog in Azure AD:

Configure User Provisioning

  1. In the Salesforce portal, in the top navigation bar, select your name to expand your user menu:

    My Settings
  2. From your user menu, select My Settings to open your My Settings page.

  3. In the left pane, click Personal to expand the Personal section, and then click Reset My Security Token:

    My Settings
  4. On the Reset My Security Token page, click Reset Security Token to request an email that contains your Salesforce.com security token.

    New Token
  5. Check your email inbox for an email from Salesforce.com with “salesforce.com.com security confirmation” as subject.

  6. Review this email and copy the security token value.

  7. In the Azure Management Portal, on the salesforce application integration page, click Configure user provisioning to open the Configure User Provisioning dialog.

  8. On the Enter your Salesforce credentials to enable automatic user provisioning page, provide the following configuration settings:

    1. In the Salesforce Admin User Name textbox, type a Salesforce account name that has the System Administrator profile in Salesforce.com assigned.

    2. In the Salesforce Admin Password textbox, type the password for this account.

    3. In the User Security Token textbox, paste the security token value.

    4. Click validate to verify your configuration.

      Successfully verified credentials
    5. Click the Next button to open the Confirmation page.

  9. On the Confirmation page, click the checkmark to save your configuration.

You can now create a test account, wait for 10 minutes and verify that the account has been synchronized to Salesforce.com.

The objective of this section is to outline how to enable users to authenticate to Salesforce with their account in Azure AD using federation based on the SAML protocol.
As part of this procedure, you are required to upload a certificate to Salesforce.com.

  1. Login to your Salesforce tenant.

  2. In the navigation pane on the left side of the page, click Company Profile to expand this section, and the click Company Information.

    Company Information
  3. On the Company Information page, copy the value for the Salesforce.com Organization ID.

    Company Information
  4. In the Azure AD portal, on the Salesforce application integration page, click Configure single sign-on to open the Configure Single Sign On dialog.

    Configure single sign-on
  5. On the How would you like users to sign on to Salesforce page, select Windows Azure AD Single Sign-On, and then click Next.

    Configure Single Sign-On
  6. On the Configure App URL page, in the Salesfrce Tenant URL textbox, type your URL using the following pattern "https://<tenant-name>.salesforce.com", and then click Next.

  7. On the Configure single sign-on at Salesforce page, to download your certificate, click Download certificate, and then save the certificate file locally as c:\salesforce.cer.

    Configure single sign-on
  8. On your Salesforce tenant, in the Administer section, click Security Controls to expand the related section.

  9. Click Single Sign-On Settings to open the Single Sign-On Settings page.

  10. Click Edit

    Single Sign-On Settings
  11. Select SAML Enabled, and then click Save.

    SAML Enabled
  12. To configure your SAML single sign-on settings, click New:

    SAML Single Sign-On Settings
  13. On the SAML Single Sign-On Setting Edit page, perform the following steps:

    SAML Single Sign-On Setting
    1. In the Name textbox, type your SSO setting name, for example, the name of your company.
      Providing a value for Name does automatically populate the API Name textbox.

      For more details about the API Name field, see the help by clicking the icon next to the textbox.

    2. In the Issuer textbox, type k2o9vydyKHEZWTAJYVCH.

    3. In the Entity Id textbox, type https://saml.salesforce.com.

    4. Select Assertion contains User's salesforce.com username as SAML Identity Type

    5. Select Identity is in the NameIdentifier element of the Subject statement as SAML Identity Location.

    6. Click Browse to open the Choose File to Upload dialog, select your Salesforce certificate, and then click Open to upload the certificate.

    7. Click Save to apply your SAML single sign-on settings.

      There is no need to provide values for the Identity Provider Login URL, the Identity Provider Logout URL and the Identity Provider Logout URL.

  14. On the SAML Single Sign-On Setting, verify that the values of the Salesforce Login URL and the OAuth 2.0 Token Endpoint parameters match your Organization ID.

    SAML Single Sign-On Setting
  15. On the Azure AD portal, select the single sign-on configuration confirmation, and then click Complete to close the Configure Single Sign On dialog.

    Configure single sign-on

You can now go to the Access Panel and test single sign-on to Salesforce.

To avoid running into latency issues, you should wait for 10 minutes before testing single sign-on.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft