How to Set Up Salesforce with Microsoft Azure Active Directory Single Sign-On (SSO)

Single Sign On (which is often confused with Social Sign-On) is a powerful functionality that can quickly increase company productivity and data security​, centralise user password management, and make the life of IT teams much easier. In this post, I’ll explain the key difference between social sign-on​ and single sign-on, the benefits of setting up Salesforce with SSO, how it works, and how to set up Salesforce SSO with Office 365.

Why You Need SSO

Single Sign-On (SSO) is an authentication process where users can log in to multiple applications from different devices using a single set of credentials like username, password, or token that you can generate, for example, in Microsoft Authenticator to log into the system.

The primary benefit of SSO is that it gives organizations centralized control of who has access and removes the need for users to log in to each system separately. It also helps

• Strengthen password policies​
• Reduce the risk of a data breach​ and increase your organization’s security because you have external storage that can hardly be broken.
• Centralize access control​
• Reduce IT workloads​ because your admins need to handle only one source of your passwords and credentials.

How Single Sign-On Works

To enable the SSO process, you need an Identity Provider​- a trusted service that allows users to access other external applications without logging in again, and a Service Provider — a service that accepts identity on behalf of the external application from an identity provider.​

How the whole process looks like:

• Step #01​ — User accesses the Service Provider​
• Step #02​ — The Service Provider redirects the user to the Identity Provider​
• Step #03​ -User enters credentials
• Step #04 — The Identity Provider validates and grants access
• Step #05 — The Identity Provider redirects the user to the Service Provider

For example, you can configure Google G-Suite as an Identity Provider to authenticate users trying to access your org. When you log in to Salesforce, it automatically redirects you to your Identity Provider (in our case, this is G-Suite). There you’ll see login credentials, such as a username and password, that you need to put in.

If you have the multi-factor authentication, you’ll receive an OTP that you need to put to log into G-Suite.

Once the process goes successfully, G-Suite will say that you are authenticated. It will also communicate to your Service Provider that you are allowed to use your Salesforce application as the Service Provider.

Requirements for SSO Enablement

There are specific provisions to enable SSO for Salesforce. Among them are:

• Admin Access: You must provide users with relevant access​ levels and the ability to configure certain functionality, which does not necessarily have to be solely admin privileges.
• My Domain: You need to set up My Domain
• Sandbox: Your organization should have a Sandbox version to test everything there and to prevent breaking your login functionality for all users.

How to Set Up Salesforce with Microsoft Azure Active Directory Single Sign-On

The Azure application allows users to use their Azure Active Directory credentials to log in to a Salesforce org. There is an article provided by Salsforce how to do so, but it based on old Azure design. So, to activate this feature you need to:

1. Log in to Microsoft Azure.
2. On the menu, select Azure AD B2C, and select App registration.
3. To register a new application, select New registration.

1. Enter an application name, select Web app as the redirect URI, and enter https://salesforce.com as the sign-on URL. Click Register.

1. Choose the application from the App registrations pane. Copy and save the Application ID, and then select Certificates & secrets.

1. Enter a description and expiration date for the key. Save the settings, and copy the key value. To configure the authentication provider in Salesforce, use the key and application ID in the next step.

1. Create default scope in expose an API

Now you need to go to Salesforce org.

1. From Setup, enter Auth. Providers in the Quick Find box, and select Auth. Providers | New.
2. For the provider type, select Open ID Connect.
3. Enter a name for your Auth. Provider. Salesforce uses this name as the URL suffix in the callback URL, which is how the application responds to the Salesforce authentication request.

1. For Consumer Key, paste the application ID that you copied earlier.
2. For Consumer Secret, paste the key.
3. For Default Scopes, paste API scope
4. Enter the Azure AD endpoints. You can find them in Endpoints link:

1. For User Info Endpoint URL you can use: https://graph.microsoft.com/oidc/userinfo
2. For Default scope: https://graph.microsoft.com/User.Read
3. Save the settings.

Now it’s time to update Your Azure Application with the Salesforce Callback URL

1. On the Salesforce Auth. Provider page for Azure AD, copy the callback URL.

1. In Azure AD, navigate to the Authentication tab and add new URL. Enter the Salesforce callback URL as a new reply URL and save the setting.

Create a Registration Handler

A registration handler is an Apex class that handles the heavy lifting of creating Salesforce users, updating users, and linking to existing users, accounts, and contacts. Example registration handlers are available as Apex classes on a GitHub site, including a SamlRegHandler and a SocialRegHandler. These handlers enable Salesforce SSO using Salesforce as an authentication provider or an external authentication provider.

1. Download the social sign-on registration handler from GitHub:
2. From Setup, in the Quick Find box, enter Apex Classes, and select Apex Classes | New. To create a registration handler for Azure, copy a sample Apex class (SocialRegHandler).
3. On the Salesforce Auth. Provider page, edit the settings for the Azure AD Auth. Provider, and select the registration handler that you created.
4. Enter a user for whom the registration handler executes, and save the settings

Let’s Test SSO with Azure AD

1. In Setup, on the My Domain page under Authentication Configuration, click Edit.
2. Select your Azure AD authentication service, and save the settings.

1. Log out and go to your Salesforce org’s login page on your subdomain.
2. Click the button for the Azure AD authentication service, and enter your Azure AD credentials.

That's it!