Export (0) Print
Expand All

Tutorial: Azure Active Directory integration with Salesforce

Published: July 8, 2013

Updated: August 25, 2011

Applies To: Azure

You can find a more recent version of this topic here.
This topic will be retired soon.

The objective of this tutorial is to show the integration of Azure and Salesforce.
The scenario outlined in this tutorial assumes that you already have the following items:

  • A valid Azure subscription

  • A test tenant in Salesforce.com

If you don’t have a valid tenant in Salesforce.com yet, you can, for example, sign up for a trial account at the developerforce web site, which has the Salesforce API that is required to configure the integration enabled.

To complete the scenario outlined in this tutorial with a trial account, you can only use trial accounts obtained from the developerforce web site.

All trial accounts obtained from the www.salesforce.com website do not enable the APIs required for integration with Azure AD until they are purchased.

This tutorial is complemented by the following videos:

The scenario outlined in this tutorial consists of the following building blocks:

  1. Enabling the application integration for Salesforce

  2. Configuring single sign-on

  3. Configuring user provisioning

  4. Assigning users

Configuration steps

The objective of this section is to outline how to enable the application integration for Salesforce.

  1. In the Azure Management Portal, on the left navigation pane, click Active Directory.

    Active Directory

  2. From the Directory list, select the directory for which you want to enable directory integration.

  3. To open the applications view, in the directory view, click Applications in the top menu.


  4. Click Add at the bottom of the page.

    Add application

  5. On the What do you want to do dialog, click Add an application from the gallery.

    Add an application from gallerry

  6. In the search box, type Salesforce.

    Application Gallery

  7. In the results pane, select Salesforce, and then click Complete to add the application.


The objective of this section is to outline how to enable users to authenticate to Salesforce with their account in Azure AD using federation based on the SAML protocol.
As part of this procedure, you are required to upload a certificate to Salesforce.com.

In order to be able to configure single sign-on on your Salesforce tenant, you need to contact first the Salesforce technical support to get this feature enabled.

To configure single sign-on, you need to setup a custom Salesforce domain name yet. You need to define at least a domain name, test your domain name, and deploy it to your entire organization. For more details, see  Setting up a domain name.

  1. In the Azure AD portal, on the Salesforce application integration page, click Configure single sign-on to open the Configure Single Sign On  dialog.

    Configure single sign-on

  2. On the How would you like users to sign on to Salesforce page, select Windows Azure AD Single Sign-On, and then click Next.

    Configure Single Sign-On

  3. On the Configure App URL page, in the Salesforce Sign In URL textbox, type your domain URL using the pattern below, and then click Next

    • Enterprise account: https://<domain>.my.salesforce.com

    • Developer account: https://<domain>-dev-ed.my.salesforce.com

    If you haven't setup a custom Salesforce domain yet, see Setting up a domain name.

    Configure App URL

  4. On the Configure single sign-on at Salesforce page, to download your certificate, click Download certificate, and then save the certificate file locally on your computer.

    Configure single sign-on at Salesforce

  5. Log in to your Salesforce tenant.

  6. On your Salesforce tenant, in the Administer section, click Security Controls to expand the related section.

  7. Click Single Sign-On Settings to open the Single Sign-On Settings page.

    Single Sign-On Settings

  8. On the Single Sign-On Settings dialog page, click Edit.

    Single Sign-On Settings

  9. Select SAML Enabled, and then click Save.

    SAML Enabled

  10. To configure your SAML single sign-on settings, click New.

    SAML Single Sign-On Settings

  11. On the SAML Single Sign-On Setting Edit page, perform the following steps:

    SAML Single Sign-On Settings

    1. In the Name textbox, type your SSO setting name, for example, the name of your company.  Providing a value for Name does automatically populate the API Name textbox.

      For more details about the API Name field, see the help by clicking the icon next to the textbox.

    2. In the Azure portal, on the Configure single sign-on at Salesforce dialog page, copy the Issuer URL value, and then paste it into the Issuer textbox.

    3. In the Entity Id textbox, type your Salesforce domain name using the following pattern:

      • Enterprise account: https://<domain>.my.salesforce.com

      • Developer account: https://<domain>-dev-ed.my.salesforce.com

    4. Click Browse to open the Choose File to Upload dialog, select your Salesforce certificate, and then click Open to upload the certificate.

    5. Select Assertion contains User's salesforce.com username as SAML Identity Type.

    6. Select Identity is in the NameIdentifier element of the Subject statement as SAML Identity Location.

    7. In the Azure portal, on the Configure single sign-on at Salesforce dialog page, copy the Remote Login URL value, and then paste it into the Identity Provider Login URL textbox.

    8. Select HTTP Redirect for Service Provider Initiated Request Binding (this option only appears is you have setup Salesforce domain name).

    9. Click Save to apply your SAML single sign-on settings.

  12. In your Salesforce portal, on the left navigation pane, click Domain Management to expand the related section, and then click My Domain to open the My Domain page. 

    My Domain

  13. On the My Domain page, in the Authentication Configuration section, click Edit.

    Authentication Configuration

  14. On the Authentication Configuration page, in the Authentication Service section, the name of your SAML SSO Settings is displayed. Check it, and then click Save.

    Login Page Branding

    If more than one authentication services are selected, when you later single sign-on to your Salesforce tenant, you will be asked to select an authentication service. If you don’t want this additional step during SSO, you should leave all other authentication services unchecked.

  15. On the Azure AD portal, select the single sign-on configuration confirmation, and then click Complete to close the Configure Single Sign On dialog.

    Configure single sign-on at Salesforce

The objective of this section is to outline how to enable user provisioning of Active Directory user accounts to Salesforce.
As part of this procedure, you are required to provide a user security token you need to request from Salesforce.com.

The following screenshot shows an example of the related dialog in Azure AD:

Configure User Provisioning

  1. In the Salesforce portal, in the top navigation bar, select your name to expand your user menu:

    My Settings

  2. From your user menu, select My Settings to open your My Settings page.

  3. In the left pane, click Personal to expand the Personal section, and then click Reset My Security Token:

    My Settings

  4. On the Reset My Security Token page, click Reset Security Token to request an email that contains your Salesforce.com security token.

    New Token

  5. Check your email inbox for an email from Salesforce.com with “salesforce.com.com security confirmation” as subject.

  6. Review this email and copy the security token value.

  7. In the Azure Management Portal, on the salesforce application integration page, click Configure user provisioning to open the Configure User Provisioning dialog.

  8. On the Enter your Salesforce credentials to enable automatic user provisioning page, provide the following configuration settings:

    1. In the Salesforce Admin User Name textbox, type a Salesforce account name that has the System Administrator profile in Salesforce.com assigned.

    2. In the Salesforce Admin Password textbox, type the password for this account.

    3. In the User Security Token textbox, paste the security token value.

    4. Click validate to verify your configuration.

      Successfully verified credentials

    5. Click the Next button to open the Confirmation page.

  9. On the Confirmation page, click the checkmark to save your configuration.

To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.

  1. In the Azure AD portal, create a test account.

  2. On the Salesforce application integration page, click Assign users.

    Grant access

  3. Select your test user, click Assign, and then click Yes to confirm your assignment.


You should now wait for 10 minutes and verify that the account has been synchronized to Salesforce.com.

If you want to test your single sign-on settings, open the Access Panel. For more details about the Access Panel, see Introduction to the Access Panel.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft