Share via

AAD federation to Salesforce

Damien 1 Reputation point MVP
2022-06-10T15:07:28.527+00:00

I need to implement an AAD federation to Salesforce. At present all my users are in Salesforce.

I found a solution for AAD to Salesforce using the Salesforce enterprise app with SAML. I need this in the other direction as well. The client would like to keep Salesforce as the master accounting. Any other ideas or ways of solving this?

Greetings and thanks Damien

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2022-06-15T12:26:44.287+00:00

    @Damien

    Hi Damien,

    Thanks for reaching out and apologies for the delayed response.

    I'm assuming you're referring to the Azure Active Directory single sign-on (SSO) connection with Salesforce, which allows your users to be automatically logged in to Salesforce with their Azure AD credentials and manage their accounts in one central location - the Azure portal.

    Could you briefly explain that when you say I need this in the other direction as well, you mean AAD federation with Salesforce such that Azure AD users get access to Salesforce with their account but must manually maintain and retain Salesforce as the master accounting? If this is the case, you may set the Provisioning mode to Manual, as shown below, so that users' accounts are never auto-provisioned from Azure AD and must establish link and update it manually.

    211686-image.png

    Or do you mean allowing Salesforce users to utilize their accounts to access Azure resources? If this is the case, you can configure federation using SAML/WS-Fed identity providers for guest users as described here In this example, Salesforce functions as the identity provider, but you must verify that Salesforce supports SAML identity federation.

    Hope this helps

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Damien 1 Reputation point MVP
    2022-06-16T09:25:59.247+00:00

    Thanks for the reply. We are evaluating AAD to Salesforce and Salesforce to AAD for different use cases and are not sure on the best strategy.

    The first use case that must work is that all our existing users in Salesforce can login to a Sharepoint app using AAD authn.

    "Or do you mean allowing Salesforce users to utilize their accounts to access Azure resources? If this is the case, you can configure federation using SAML/WS-Fed identity providers for guest users as described here In this example, Salesforce functions as the identity provider, but you must verify that Salesforce supports SAML identity federation."

    This SAML federation would work for this use case, correct? This would mean that we would continue to manage guest users in salesforce but they can use our sharepoint. Authz would be step 2.

    Best regards Damien

    0 comments
  3. Damien 1 Reputation point MVP
    2022-06-28T14:31:30.333+00:00

    I am trying the solution with the external identities and AAD with Salesforce as the accounting IDP. At present I can only get this to work for emails from the salesforce domain. The emails in the Salesforce app use many different domains. Can this solution work? Or how can I force that all external identities use the Salesforce IDP and not the other default Configured identity providers?

    If I need to support emails from different domains in my Salesforce IDP, have you any solutions for this? All my external users are only in the Salesforce IDP.

    Any suggestions?

    Regards Damien

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.