Setting Up an Azure AD Application

Set Up an Azure AD Application

The Azure application allows your users to use their Azure AD credentials to log in to a Salesforce org.

1. Log in to Microsoft Azure using https://manage.windowsazure.com.

2. On the left, select Azure Active Directory, and select an AD user.
3. To register a new application, select App registrations and click +

4. Enter an application name, select Web app / API as the type, and enter
https://salesforce.com as the sign-on URL. Click Create.
 5. Choose the application from the App registrations pane. Copy and save the Application ID, and then select
Keys.

6. Enter a description and expiration date for the key. Save the settings, and copy the key value. To
configure the authentication provider in Salesforce, use the key and application ID in the next step.

Create an Azure Auth. Provider in Salesforce

Configure your Salesforce org to recognize Azure AD as the external authentication provider. This step tells your org to
use Azure AD credentials at login.

1. From Setup, enter Auth. Providers in the Quick Find box, and select Auth. Providers | New.
2. For the provider type, select Open ID Connect.
3. Enter a name for your Auth. Provider, such as MyAzure. Salesforce uses this name as the URL suffix in
the callback URL, which is how the application responds to the Salesforce authentication request. For
example, if the name and suffix combination is MyAzure, your SSO URL is similar to
https://mydomain_login_url or site_url/services/auth/sso/MyAzure.
4. For Consumer Key, paste the application ID that you copied earlier.
5. For Consumer Secret, paste the key.
6. Enter the Azure AD endpoints:
 Authorize Endpoint URL—https://login.windows.net/common/oauth2/authorize
 Token Endpoint URL—https://login.windows.net/common/oauth2/token
 User Info Endpoint URL—https://login.windows.net/common/openid/userinfo

To learn about endpoints, see Using the Authorization Endpoint Parameter.

7. Save the settings.

Update Your Azure Application with the Salesforce Callback URL
1. On the Salesforce Auth. Provider page for Azure AD, copy the callback URL.

2. In Azure AD, navigate to the application configuration and select Reply URLs. Enter the
Salesforce callback URL as a new reply URL and save the setting.

Test the SSO Connection

The Auth. provider page in Salesforce lists a Test-Only Initialization URL. You can use this URL to check that the
configuration is set up correctly without logging in to the Salesforce org. When you open the URL in a browser and sign
in to Azure, you’re redirected back to Salesforce with a set of user attributes.

1. In Salesforce, go to the detail page for the Azure AD Auth. provider.

2. Copy the Test-Only Initialization URL.
3. Open a browser and enter the test URL. You’re redirected to Azure AD.
4. Choose an account and log in. Depending on the scope specified in the Azure AD application definition,
you can be prompted to approve access to this app.
5. After successful login, you’re redirected to the callback registered with Azure AD. Azure AD returns
information about the user and the application.
Create a Registration Handler

A registration handler is an Apex class that handles the heavy lifting of creating Salesforce users, updating users, and
linking to existing users, accounts, and contacts. Example registration handlers are available as Apex classes on a
GitHub site, including a SamlRegHandler and a SocialRegHandler. These handlers enable Salesforce SSO using
Salesforce as an authentication provider or an external authentication provider.

1. Download the social sign-on registration handler from

GitHub: https://github.com/salesforceidentity/social-signon-reghandler.
2. From Setup, in the Quick Find box, enter Apex Classes, and select Apex Classes | New. To create a
registration handler for Azure, copy a sample Apex class.
3. On the Salesforce Auth. Provider page, edit the settings for the Azure AD Auth. Provider, and select
the registration handler that you created.
4. Enter a user for whom the registration handler executes, and save the settings.
 c. Log out and go to your Salesforce org’s login page on your subdomain.
d. Click the button for the Azure AD authentication service, and enter your Azure AD
credentials.
2. Test SSO into your Salesforce Experience Cloud site.
a. If you haven’t done so already, create the Azure AD authentication service account.
b. Make sure that you have enough licenses for sites users.
c. From Setup, in the Quick Find box, enter Digital Experiences, and then select All Sites.
d. Select Workspaces next to the site you’d like to edit.
e. From Experience Workspaces, select Administration, and then select Login &
Registration.

Test SSO with Azure AD

Now it’s time to test the end-to-end SSO configuration, including the registration handler and the
authentication process, and log in to your Salesforce org.

1 Test SSO into Salesforce

. a. In Setup, on the My Domain page under Authentication Configuration, click Edit.
b. Select your Azure AD authentication service, and save the settings.
f. Under Login, select the option to display the Azure AD authentication provider, and save the
settings.
g. Log out, and go to the site login page.
h. Choose the Azure AD authentication service, and log in with your Azure AD credentials.