Want a help on configurating B2B direct federation with Salesforce IdP

Copper Contributor

Hello,

 

I'm trying to setup a demo of B2B direct federation(SAML) with Salesforce as a Non-AAD IdP.

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-B2B-collaboration-di...

 

I followed the doc and did setup on Salesforce side as well as AAD side.

https://docs.microsoft.com/ja-jp/azure/active-directory/b2b/direct-federation

 

I registered enterprise application to AAD and tried to access

https://myapps.microsoft.com/?tenantid=id

 

with a guest user account.

When I entered user account name, redirect to the Salesforce IdP did not occur.

What I see is a usual login.live.com page which requires me to enter password.

 

Did I miss something to configure or have misunderstanding?

 

Please Advise.

@Alex Simons (AZURE)  

 

3 Replies

@meatloaf1 I'm a program manager who works on our apps experiences and can help you out here. Did you try out the built-in testing experience when you were configuring your enterprise application described in the "Debug SAML SSO issues" article?

 

If you did, could you send a screenshot of the full error message, and the resulting SAML request from the link boxed in red in the screenshot below to asteen@microsoft.com? I'll get you connected with folks who can help to debug further.

 

Thanks!

 

Adam.

 

clipboard_image_0.png

Hello @Adam Steenwyk 

I am running into a similar issue. I am trying to utilize our internal IdP in order to access "Microsoft Cloud App Security." We are a re-seller of the service. I have configured my IdP and invited external users and am not able to trigger the external login flow. 

I also took a look at the article you mentioned. When I select Cloud App Security, I do not see the single sign on option in the left pane. 

The app does have this message:

"In order for single sign on to work correctly, users must be created both in Azure AD and the target application.

Open the application's admin console and follow the directions for adding users, if you haven't done so already."
 
MCAS.PNG

Any help on how to configure would be greatly appreciated.
Thanks
Chris
 

 

Hi @chris760

The single-sign on tab is not enabled because Microsoft Cloud App Security is an Open ID Connection Application. It is natively integrated into Azure Active Directory for single-sign on. In order to configure it with your 3rd party you could create a custom non-gallery application. 

Aside from configuring SSO, I would love to further understand if you are trying to enforce restrictions or RBAC for Microsoft Cloud App Security. Many of these settings can be configured in the application itself. Let me know if you have any follow-up questions.