Hope you all are doing good !!!
In our previous articles we have discussed about Overview of Application Management with Azure AD and How to integrate Azure AD with SaaS application. Today in this article, we will continue with the same topic and discuss, how to configure Single Sign-On (SSO) of SaaS application after integrate with Azure AD.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Configure Single Sign On (SSO) :
In our last article we have already discussed about SSO and also we know there are following different methods available to configure SSO for cloud application.
We have seen in our last article, how to use Password-Based method to configure SSO. But in today’s article we will discuss, how to configure SAML base Single Sign-On (SSO). We will integrate and configure SSO for Salesforce SaaS application. This is a pre-configured SaaS application. For testing purpose I have Sign-In with a free trial version of Salesforce application and ‘Manasmoharana@gmail.com‘ is an user with system administrator rights as shown in the following figure.
Lab Exercise :
So far so good. Now I am going to start with our exercise, where we will configure Single Sign-On (SSO) for our integrated Salesforce SaaS application. Let’s go through the following steps.
Step 1 – Login to Azure portal => Azure Active Directory => Enterprise Applications as shown in the following figure and search for Salesforce application. I have already integrated the pre-configured Salesforce application.
Step 2 – Click on Salesforce application (Salesforce For Manas) and select the 2nd option Setup Single Sign On as shown in the following figure, which will enable users to sign into their application using their Azure AD credentials.
Step 3 – As showing in the following figure, there are different options/way to configure SSO. The available options may vary with different SaaS apps. As in our last article, we have configured SSO based on Password-Based method. Today in this article we will select SAML method as shown in the following figure.
Step 4 – On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings as shown in the following figure.
Step 5 – On the Basic SAML Configuration section, enter the values for the following fields. There are two different pattern used for enterprise account and developer account.
Enterprise account :
We need to get our subdomain name and prepared the urls for the following fields.
Identifier (Entity ID) -The default identifier will be the audience of the SAML response for IDP-initiated SSO
Reply URL (Assertion Consumer Service URL) -The default reply URL will be the destination in the SAML response for IDP-initiated SSO
Sign-on URL– This URL contains the sign-in page for this application that will perform the service provider-initiated single sign-on.
Step 6 – To get the subdomain name, we can contact the system administrator. As showing in the following figure, KnowledgeJunction.my.salesforce.com is my domain name and Knowledgejunction is subdomain name.
Step 7 – Once we got the subdomain name, we can formulate the urls for the following field and save the configuration as showing in the following figure.
Step 8 – In the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and let’s save it on our computer.
Following file is our metadata xml file. We will save it for our future uses.
Step 9 – We can automate the configuration within Salesforce, to achieve that, we need to install My Apps Secure Sign-in browser extension by clicking Install the extension.
As shown in the following figure I have installed the extension. I have installed it for my chrome browser. We can see different look and feel, when installing the extension for different browser.
Step 10 – Once we added extension to the browser, One new button (Set Up <Salesforce App Name> ) will be enabled. When we click on Set up Salesforce For Manas button, it will direct us to the Salesforce Single Sign-On application. From there, provide the admin credentials to sign into Salesforce Single Sign-On. The newly added browser extension will automatically configure the application for us. If we can see in the following figure, there is one link ‘ Or View Step by-Step instruction‘ to help us, if we want to do this configuration manually. So let’s make it automatically by clicking the Set up Salesforce button.
Step 11 – When we click the Set Up Salesforce For Manas button, it will download the XML metadata file we have downloaded in our one of the previous step and ask to confirm. Click Ok button to proceed.
Step 12 – As we discussed earlier, we need to provide our Salesforce system admin credential, so that the browser extension will do the rest of the configuration automatically. As showing in the following figure, I am giving my Salesforce admin credential.
Step 13 – In next few steps, the extension will ask for few confirmations. We should accept all confirmation to proceed with the configurations.
Step 14 – As showing in the following figure, here we need to upload the XML metadata file, that we previously downloaded from Azure active Directory Single Sign On configuration page. Then again confirm all the notifications.
At last, we will get the most awaiting notification, which tell us, SSO has been successfully configured as shown in the above figure. Click Ok to finish the configuration.
Step 14 – To test the feature, application login to Myapplications.microsoft.com. We can see in the following figure, now Salesforce For Manas application is available in my assigned applications list and we can login from there.
Step 15 – We can also testing it by browse to https://login.salesforce.com/ = > and select custom domain and provide our domain name as in our case it is knowledgejunction. my.salesforce.com as shown in the following figure.
it will ask to provide our Azure AD credentials to sign in into the Salesforce application and click Next. It may ask to give access to the Salesforce application. Click Allow to successfully login to Salesforce application and we are done now.
With the above information, we are concluding this article . I hope this is informative to you. As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with Azure Active Directory . Please let me know if I missed anything important or if my understanding is not up to the mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂