Forum Discussion

AzureRanger's avatar
AzureRanger
Copper Contributor
Dec 25, 2018

AzureAD sharepoint SAML integrattion

Hi All,

 

We are trying to federate salesforce to use AzureAD for authentication. I did some testing in a sandpit in salesforce. Did all the configuration and it all works when i use the microsoft account i.e a trial account in azure. However, when I create a new user in Azure AD and try and login as that user in salesforce, I keep getting a SAML error. I do get redirected to login.microsoft webpage for auth but the moment i enter the credentials of the user it doesnt work. I used the email-id as federation-id so if the user.

 

What I have gathered is that when the federation works when I use the MS account but not as a user in AAD.  Can someone please explain the reason behind this?

 

Regards,

AR

  • bbhorrigan's avatar
    bbhorrigan
    Brass Contributor

    What is the SAML error, can it not find the user?  Can you post the SAML trace?

    • AzureRanger's avatar
      AzureRanger
      Copper Contributor

      hi Peter ,

       

      Happy new year and apologies for the delay in responding.

      thanks for your email. Below is what i have found in the trace.

       

      SAMLtrace for working user which is a microsoft online account

       

      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">maverick1@hotmail.com</NameID>

       

      you can see that azure is passing the email address which is used as federatedID between azure and salesforce

       

      SAMLtrace for non-working user which is a user account in the directory 

      <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">F8xKa2JIpxTCFjO66gjj-9TrfpXfOnyxOHogR8s1PA4</NameID>

       

      As  you can see from above that the email address is not being passed as federationID for the user in the directory . So , it only seems to work with the MS online account.

       

      your help would be appreciated.

      • ThinkSync's avatar
        ThinkSync
        Brass Contributor

        Hello,

         

        Please check your Saleforce claim mappings, nameidentifier should map to user.mail or user.userprincipalname. These values should be identical to the Saleforce account FederationID.

         

        If you’re using user.mail, please check the accounts have the mail attribute using the Azure AD PowerShell cmdlets for cloud accounts or sync'd, Active Directory Users and Computers.

        If you’ve found this post helpful, please click the Like button.

  • ThinkSync's avatar
    ThinkSync
    Brass Contributor

     

    Hello,

     

    Saleforce integration can be tricky, have you checked the following?

     

    1. You have licensed Saleforce accounts that correspond to your Azure AD accounts - "shadow accounts" that sit in the Salesforce iDP.
    2. The Salesforce accounts FederationIdentifier matches your Azure AD accounts UserPrincipalName.
    3. If you haven’t setup account provisioning referenced above, please follow the following tutorial

    Configure Salesforce for automatic user provisioning

    https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/salesforce-provisioning-tutorial

     

    Hope this helps!

     

     

     

Resources