I was doing some testing with the integration of Azure Active Directory with Salesforce to provide users a single sign-on (SSO) experience. It is possible for a lot of SaaS apps to provide SSO using Azure AD. When SSO configured using Azure AD the user can logon with the same set of credentials to Salesforce as they use to logon to Office 365.
I setup Salesforce SSO with the settings provided by Microsoft in the Azure portal.
I also setup Provisioning to automatically create Salesforce users based on Azure AD users by following the instructions provided by Microsoft.
When everything was set, I checked if the new accounts were created in Salesforce and I run a test with one of the user accounts.
But I got an error when using single sign-on “We can`t log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single Sign-On Settings) or check the login history for failed logins”.
When I checked the SAML Validator I noticed the error “Unable to map the subject to a Salesforce.com user”.
I checked the SSO settings I made using Microsoft`s manual and noticed after checking several times all the settings, we are using the Federation ID to logon to Salesforce.
But the Federation ID field is blank for all the provisioned users. I filled in the UPN on one of the test accounts and after that I was able to successfully logon to Salesforce using SSO.
Fortunately it is possible to add an extra attribute mapping to synchronize between Azure AD and Salesforce, to automate filling in the Federation ID.
In the Azure portal navigate to the Salesforce application, on the tab Provisioning under Mappings click on Synchronize Azure Active Directory Users to Salesforce.com. From there at the bottom choose Add New Mapping and choose below settings:
- Mapping Type: Direct
- Source attribute: userPrincipalName
- Default value if null: <BLANK>
- Target attribute: FederationIdentifier
- Match objects using attributes: No
- Matching precedence: 0
- Apply this mapping: Always
After provisioning is successfully run again the Federation ID is filled in and SSO works for all users.
5 Comments
Thanks, we had exactly that issue and no documentation at Microsoft or Salesforce helped out. On the Salesforce site you would need require expensive Premium support to get some kind of debug logs.
Good to know this old article is still of any help!
I am testing SSO to Salesforce using O365 credentials, but based on some testing, users are getting prompted to authenticate using both Office 365 MFA, and Salesforce Authenticator. Is there a way to disable any MFA requirements within Salesforce, since O365 can control the access policies? Thanks in advance
Sorry Joe, I have no idea.
I configured this with Salesforce only one time for a customer and shared the challenge I faced with the configuration in this post.
Great job!
I have been pulling my hair off to figure this out.
Thank you.