Wednesday, August 28, 2013

AAD : SSO between AAD and Salesforce

The write-up is here:

Tutorial: Windows Azure AD integration with Salesforce

but I couldn't get it working.

Luckily, I have some SAML experience so figured out the problem.

I posted before about how important it is to get the NameID stuff right and this was indeed the problem.

When you create the user in Salesforce, you have to make sure that the Salesforce username is exactly the same as the login name you use for your AAD tenant.

And you have to use a valid email name.

The email name and username do not have to match.

So assume I log into my AAD tenant as:

My email address is

So I create the Salesforce user with:

email =

username =

Check your email - you will get a "Change Password" email from Salesforce.

Change your password. 

Login to AAD - navigate to the Access Panel - click Salesforce.

What will happen is that AAD will take your logged in name, put it in a NameID SAML assertion called username and pass it to Salesforce.

Salesforce will check that there is a registered user with that username.

There is so A-OK - you are logged in.

I did not have to synchronise any accounts to achieve this.



Jonathan Larson said...

Did you attempt to connect to a Sandbox first or did you do it directly in a Production/ Dev org. We are having some issues with the singing in not going to our test system.

nzpcmad said...

No - I did this directly to my dev Salesforce account.