Hey Arthur,
I have been working on this same issue for quite a while now, and the simple answer is that SCIM provisioning and OIDC SSO for Salesforce are functionally incompatible - but not for the obvious reasons.
You can setup both by creating a new SF enterprise app from the gallery, which will expose the option to do SCIM provisioning to Salesforce. This will also create a corresponding app registration that you can then use to setup OIDC SSO into Salesforce. Both will work individually, but not together, here is why:
SCIM provisioning requires you to choose an attribute/claim from Azure that will be used to match against accounts in Salesforce, and is most often either username/email (e.g. UPN ->SF Username) or OID (Object ID -> Federation ID). If you provision a user with say OID/Federation ID and setup SAML based SSO to use federation ID as the NameID claim it will work fine.
If you try to login via OIDC with this provisioned account it will fail, for the simple reason you cannot by default match using the OID, even though it is passed in the access and ID tokens. This is due to the restriction in the built in Salesforce Open ID and Microsoft auth providers where they only match on the SUB claim. The SUB claim is by standard an immutable value representing the user from the IDP and is used to create an object in the Salesforce user account for the purpose of linking the two (called the ThirdPartyAccountLink). The problem with this? Well the SUB claim that Microsoft uses is a pairwise value combo of the app ID and users OID, so it is an application specific user identifier. Guess what is not available as an attribute for mapping users in SCIM? You guessed it, SUB. So while you can provision a user with SCIM, SSO via OIDC will never find it and will want to create a new user.
Two potential workarounds, which I have started to explore:
- Find a way to pass the OID from the auth providers into the registration handler and circumvent the default matching of SUB by doing an OID search first, and triggering an update rather than a create user event. This should apply the SUB to the matching user and SSO will work fine going forward.
- Write a custom auth provider to parse the access/ID tokens and use the OID as the SUB claim that is passed to the reg handler.
I am not sure who could get Microsoft and Salesforce to put their heads together on this one, but is solvable on either side - Have Azure allow the SUB claim be changed to use the OID, or be able to provision using SUB; or get Salesforce to be more flexible on how mapping works in their auth provider/reg handlers.
For now I am using SCIM+SAML but I wish I could use OIDC.
Derek
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 66%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFD%3C/text%3E%3C/svg%3E)