IdP Initiated Sign-on on Salesforce Enterprise Application vs Salesforce Sandbox

Question

Need some help on configuring IdP-initiated SSO with enterprise applications, particularly with Salesforce. I cannot find any documentation that confirms the Sign On URL being a required field but the tip in the attached screenshot (Salesforce-App SSO Settings.png) is confusing. It says it's unnecessary for IdP-initiated but if I clear it, it throws an error message and I can't save the configuration.

If I create my own application (or Salesforce Sandbox) and enter the same Single Sign On Parameters, the Sign On URL is optional. And using this configuration I was able to do a real IdP-initiated sign on. Refer to attached (SalesforceSandbox-App SSO Settings.png).

Answer 1

Hello @Joel Agustin ,

Thanks for reaching out.

Salesforce Sandbox supports SP and IDP initiated SSO when installed through the Azure AD gallery, whereas Salesforce only supports SP initiated SSO. Therefore, you must create custom enterprise application, as shown below for Salesforce, so that the Sign on URL field becomes optional. I hope this was helpful.

Reference:

Salesforce: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/salesforce-tutorial#scenario-description
Salesforce sandbox: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/salesforce-sandbox-tutorial#scenario-description

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.