https://stackoverflow.com/questions/21713203
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianI have confirmed with Microsoft that Windows Azure AD does not support a SP-initiated SAML flow for Salesforce. All access must be initiated from the Azure AD access panel.
Microsoft is working to address this in the future.
Does the Windows Azure AD SAML integration with Salesforce support Service Provider-initiated SSO?
-
10-10-2022 - |
Question
I have successfully set up SSO integration between Azure AD and Salesforce as described in this article.
With this configuration, users must know to go to the Azure AD access panel in order to log in to Salesforce. This appears to be standard Identity Provider-initiated SSO using SAML.
I'd like to use Service Provider-initiated SSO with Azure AD instead. I'd like users to be able to open a deep-linked Salesforce URL, be redirected to the Azure AD login page, and then be redirected back to the originally requested URL. Is this possible?
Solution
OTHER TIPS
We set this up today and Salesforce Initiated SSO with Azure AD authentication works.
Notes/Caveats to any Salesforce SAML / SSO Authentication:
You will have to setup a custom salesforce domain: eg. yourdomain.my.salesforce.com
Then, users will need to be trained to go there to login, and click "Azure SSO" button instead of entering salesforce credentials.
Alternatively, users can continue going to salesforce.com proper, but will have to click "login to a custom domain" and then enter the domain name manually, which also constitutes retraining and which is harder.
You have the global choice of letting "Salesforce Passwords" co-exist with SAML / SSO auth. You have to leave this enabled if you use anything that integrates with Salesforce like DBSync stuff. This is because you will have to use an admin/user account in salesforce for the integration which is not great. A dedicated service account system for integration should exist by now, but that's another discussion.
Note: Logins were actually much faster using Azure AD auth... go figure.
The setup and behavior of Salesforce "Client Apps" like Chatter Desktop, Salesforce1 Mobile App, Outlook Apps, Etc., will change a bit. We were able to figure them all out pretty easily, but new documentation will be required for organizations that provide tutorials to employees. Users have to logout on their phones, enter the new domain manually... all requires documentation.
Setting up smooth user provisioning is fairly complex and requires a lot of configuration on the Azure AD side. Involves matching attributes between the systems, defining licenses, etc.
Finally, you're building a new non-trivial dependency between two cloud systems into your environment. In case you hadn't thought about it... it's significant.
Overall, we're extremely happy about the integration. It's awesome for us and seems to be fast.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
