Federate an application with Azure AD

- Now that we've set up Azure AD Connect to create the foundation for the hybrid identity, and we've chose sign in options for how you users going to authenticate to Azure AD, now what we can look at is how do we extend this to make this a platform to sign in to other applications? And we were going to do in this discussion, is we're going to set up single sign-on from Azure AD to Salesforce.com. The reason we chose Salesforce, they've a really easy to use self-services interface for setting up single sign-on, and they let you get free developer tenants so you can try this anytime you want, without having to do any paperwork or pay for anything.

You can sign up online. So to begin, we've logged in to the Azure portal, we've selected Azure Active Directory, and now we're at the main configuration screen for Azure AD. We're going to go ahead and click on Enterprise Applications. We're going to click new application, and we're going to search for Salesforce. Azure AD has a gallery, of at this time, over 2900 applications that they've already done a lot of the heavy lifting to integrate with Azure AD. So some of the works already done for us.

In the case of Salesforce, there's a few options. For this demo we're going to use the Salesforce Sandbox. It's the exact same setup steps as the main Salesforce option, but for these types of trials, we'll use the Sandbox. You can give the application a name. This is the name that shows up in the access panel. We'll just go with Salesforce so it looks like a normal application for the end user. And we'll click add. Behind the scenes it's going to go ahead and create some special settings in your Azure Active Directory Tenant, and then we'll have an application that we can go ahead and configure.

The first thing we're going to need to do, is configure single sign-on, so we can do that by clicking single sign-on. The single sign-on mode we'll choose, is one called SAML Single Sign-On. SAML is the protocol that's used for single sign-on to most cloud applications, and it's a specific standard that's focused on this. So a lot of what we do here, you'll be able to translate to almost any application. The other nice thing that Azure AD gives us, for many of the applications that are pre-integrated, it has a tutorial on what you need to do to configure both the application, Salesforce, and Azure AD, and you'll find the links right here at the top.

And if you click on this, there's a full tutorial here on how you can do that integration, so you're not on your own when you need to set this up. To begin, we're actually going to go ahead and set up Salesforce first, and that will give us the values that we need to plug in to configure Azure Active Directory. So I have Salesforce already open here, I've logged in to the administration console for Salesforce, and I happen to know, that I need to go to the single sign-on settings. There's a ton of different options in the Salesforce console, so you can use this quick find at the top to search for the ones you need.

To begin, I'll create a new SAML single sign-on setting, I'll give it a name, I'll call it Azure AD, then there's a bunch of different things that I'm going to need to plug in here. The issuer is the unique identifier for Azure AD. Another technical term for it is the entity ID. For Azure AD, we'll get that from the Azure AD console. To get those options, I'll scroll to the bottom, and click configure Salesforce.

This pops out a window that has some of the settings we need, specifically the issuer, who's also known as this entity ID. We'll just copy and paste this over. The next thing I know I'll need it the identity provider login URL. That's right here, Azure AD calls it the single sign-on service URL. And then finally the log out URL, so that someone clicks out log out in Salesforce, it logs them out of Azure AD as well.

And then finally, there's two more things I need to provide. I need to provide the identity provider certificate. That's the key that Azure AD uses to sign the SAML assertion. The SAML assertion under the covers is the data that Azure AD sends to Salesforce, so that Salesforce knows who you are. That's signed with a special certificate in Azure AD, and we have to give Salesforce the public key so that they can validate the signature. We'll download that here.

And then we'll go ahead and plug that in to Salesforce. And then the final thing we need to do is provide this entity ID. This is how Salesforce is going to uniquely identify itself to Azure AD, so Azure AD knows which application is requesting single sign-on. We'll go ahead and use the beginning of our Salesforce URL. Now what we can do, is we can start configuring Azure AD.

We'll click show advanced settings here, because while it calls them advanced we're actually going to need to set some of them up. That same entity ID, is going to be the identifier. And once we click save here in Salesforce, we'll get the rest of the settings we need. Now what we can do, is when we scroll down, Salesforce gives us the log in URL, which we're going to copy to the Clipboard and paste in to Azure AD.

We'll just have to trim that a little bit here. And then, you should be able to save this and give it a shot. Now that it's saved, the last thing we need to do is just say what users are going to have access to this application. We can do that from the users and groups button. As the name implies, we can either give users directly access to this, or we could give a group access. Usually groups are easier because you're going to have a whole bunch of different people that need access and you probably already manage groups in your On Premises Directory.

In the interest of keeping this simple, we're just going to give a couple users access. I'm going to give these two users access, and Salesforce makes us pick a role that these users are going to have. This isn't applicable in the scenario that we're using, but it's a requirement in order to assign these users. Once these users are assigned, the last thing we need to do is just activate this configuration in Salesforce, and then we'll try signing in.

The last two steps we need to do in Salesforce, are turn SAML single sign-on, on. That's this checkbox here. So we'll go ahead and check that. And then we also have to tell Salesforce to use this Azure AD setting that we just set up, and make it available. You do that in the My Domain section. We'll come here to authentication configuration, we'll click edit, and then we'll check Azure AD.

The other option we're going to leave enabled here, is this login page option. This let's people sign directly into Salesforce. Ordinarily, once you got this working, you'd remove this option, so everyone went through Azure AD. Now that this is complete, let's try signing in! So now I'm signed in as an end user, I'm in the access panel. You'll notice the Salesforce tile has shown up here. When I go ahead and click that as the end user, that should take me through, and it signs me straight through to Salesforce.com. All without me needing to have a separate username and password in Salesforce.com.