Introduction

This document explains how to implement Single Sign-On (SSO) between Azure Active
Directory (Azure AD) and Salesforce, where:

• Azure AD acts as the Identity Provider (IdP)
• Salesforce acts as the Service Provider (SP)

The goal is to enable users to log in to Salesforce using their Azure AD credentials,
improving security and user experience.

Key Concepts

What is Azure Active Directory?

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access
management service.
It helps organizations authenticate and authorize users to access resources such as
Microsoft 365, Azure services, and third-party SaaS applications (like Salesforce).

What is an Identity Provider (IdP)?

An Identity Provider is a system that:

• Authenticates users (verifies their credentials)
• Issues authentication tokens or assertions to other systems

In this integration, Azure AD is the Identity Provider because it manages user identities
and authentication.

What is a Service Provider (SP)?

A Service Provider is a system or application that relies on the IdP to authenticate users.
In this case, Salesforce is the Service Provider, allowing Azure AD to verify users and
provide access without requiring Salesforce passwords

Prerequisites

Before implementing:

• Admin access to Salesforce Setup
• Admin access to Azure AD Portal
• A custom domain (My Domain) deployed in Salesforce
• User accounts present in both Azure AD and Salesforce (email addresses must
• match or whatever common field between SF and azure (like email, employed, etc.)

Implementation Steps

Configure Azure AD (Identity Provider)

1. Sign in to Azure Portal (portal.azure.com)→ Azure Active Directory → Enterprise Applications. We can directly search in the search bar for an enterprise application

2. Click New Application → In the search box, search for “Salesforce”. Click on Salesforce. A pop-up will appear, and click Create.

3. Open the app, click on Single Sign-on on the left panel, click on SAML, and configure the app.

a), Set up the Basic configuration. In the Identifier, Reply URL, and Sign-In URL, enter your Salesforce Domain.

(It can be obtained from Setup → My Domain in Salesforce)

I, Identifier (Entity ID): https://.my.salesforce.com

ii. Reply URL (ACS URL)

iii. Sign on URL

b), Attributes and Claims

This is the common identifier between SF and AZURE. We use the federation ID field on the user in SF

c) Download the certificate and federation metadata XML. This can be later used in setting up SSO configuration in Salesforce

4. Add users to the application. Select the user and role for the user

Configure Salesforce (Service Provider)

1. Log in to Salesforce → Setup → Identity → Single Sign-On Settings. Enable SAML.

2. Set up single sign-on settings using the downloaded metadata file from Azure in the previous steps

3. Set up the authentication configuration in my domain and select the SSO created before

4. Populate the federation ID in the Salesforce user same as the attribute

Test the SSO Connection

1. In Azure AD → Salesforce Application → Test Single Sign-On.
2. Or directly access Salesforce via: domain url

Advantages of Implementing SSO

• Enhanced Security: Centralized authentication through Azure AD reduces password fatigue and risk of compromised credentials.
• Seamless User Experience: Users can access Salesforce with their Microsoft 365/Azure AD credentials without logging in separately.
• Improved Compliance: Enables audit trails, conditional access, and multi-factor authentication (MFA through Azure AD.
• Reduced IT Overhead: Fewer password reset requests and simplified access control management.