I was doing some testing with the integration of Azure Active Directory with Salesforce to provide users a single sign-on (SSO) experience. It is possible for a lot of SaaS apps to provide SSO using Azure AD. When SSO configured using Azure AD the user can logon with the same set of credentials to Salesforce as they use to logon to Office 365.
I setup Salesforce SSO with the settings provided by Microsoft in the Azure portal.
I also setup Provisioning to automatically create Salesforce users based on Azure AD users by following the instructions provided by Microsoft.
When everything was set, I checked if the new accounts were created in Salesforce and I run a test with one of the user accounts.
But I got an error when using single sign-on “We can`t log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single Sign-On Settings) or check the login history for failed logins”.
When I checked the SAML Validator I noticed the error “Unable to map the subject to a Salesforce.com user”.
I checked the SSO settings I made using Microsoft`s manual and noticed after checking several times all the settings, we are using the Federation ID to logon to Salesforce.
But the Federation ID field is blank for all the provisioned users. I filled in the UPN on one of the test accounts and after that I was able to successfully logon to Salesforce using SSO.
Fortunately it is possible to add an extra attribute mapping to synchronize between Azure AD and Salesforce, to automate filling in the Federation ID.
In the Azure portal navigate to the Salesforce application, on the tab Provisioning under Mappings click on Synchronize Azure Active Directory Users to Salesforce.com. From there at the bottom choose Add New Mapping and choose below settings:
- Mapping Type: Direct
- Source attribute: userPrincipalName
- Default value if null: <BLANK>
- Target attribute: FederationIdentifier
- Match objects using attributes: No
- Matching precedence: 0
- Apply this mapping: Always
After provisioning is successfully run again the Federation ID is filled in and SSO works for all users.