Azure AD authentication deployments

In this section, we will build applications for our users and work through the different authentication mechanisms provided by Azure AD. All the configurations we do in this section will be done with global administrator rights and on the Azure portal, https://portal.azure.com. We will start with Salesforce configuration:

  1. Launch the Azure Active Directory blade and click Enterprise applications.
  2. Under All applications, click New application:

New application creation context
  1. Type Salesforce in the search field:

Salesforce enablement
  1. Under Single sing-on, change to SAML authentication:

Choosing SAML as the authentication method
  1. Go to the SAML Signing Certificate section and click Download on Certificate (RAW):

Downloading the signing certificate
  1. Now, log in to your Salesforce account and navigate to Identity | Single Sign-On Settings.
  2. Edit the SAML settings and click SAML Enabled:

Configuration of SAML in Salesforce
  1. Next, we will create new SAML Single Sign-On Settings; click New:

New settings dialog
  1. To gather the values for the configuration, you need to jump back to your Azure portal and copy the three links to Notepad:

Salesforce configuration information about the Azure AD endpoints
  1. Fill in the following information on the Salesforce configuration page:

Salesforce SAML configuration page
  1. Next, we need to configure our Salesforce domain name under SETTINGS | Company Settings | My Domain.
  1. Use your tenant name and click Check Availability and Register Domain:

Salesforce domain registration process
The registration process takes about 5-10 minutes.
  1. Refresh the page and Edit the Authentication Configuration:

Authentication configuration dialog
  1. Click Open and Upload a logo from Chapter 1Building and Managing Azure Active Directory.
  1. Check AzureADSSO and Save:

Choosing the Authentication service AzureADSSO
  1. Click on login and if you are prompted to register your phone, click I Don't want ....
  2. If you are prompted, log in with your Salesforce administrator account.
  3. Next, under the My Domain section, click Deploy to Users and OK.
  4. Now, we switch back to our Azure AD configuration.
  5. Set the Sign on URL and Identifier (Entity ID) text box values to your value, https://<TENANT>-dev-ed.my.salesforce.com:

Azure AD Salesforce SAML configuration

Now that we have configured SAML authentication, we can activate user provisioning with Salesforce by following these steps:

  1. Under the Manage section, click Provisioning.
  2. Provisioning Mode drop-down list, set Automatic.
  3. Under Admin Credentials, type in the admin username and password for accessing Salesforce.
  4. Obtain a secret token by switching to the Salesforce administration:

Secret token creation for provisioning
  1. Click Reset Security Token and you will receive a new security token by mail:

Get new secret token
  1. Next, we configure the provisioning settings in the Azure portal. Use the token from your mailbox and configure a notification email address:

Configuring the provisioning service

The following message is expected:

Test the connection to the Salesforce provisioning endpoint
  1. To use the newly deployed application, we need to create and assign a group to the Salesforce application.
  2. Create the following group and assign a licensed user from the Sales department:

Group assignment for Salesforce app access
  1. Assign this group with the following values:

Role selection
  1. Under Manage | Provisioning | Settings, set Provisioning Status to On and leave the default Scope.
  2. Click the checkbox for Clear current state and restart synchronization and click Save.
  3. In the Restart Synchronization window, click Yes:

Synchronization and Provisioning status information
  1. Test the application with your assigned test user at https://myapps.microsoft.com.
  1. The following result is expected, a successful logon:

Successful logon on Salesforce with test user

We successfully deployed Salesforce, including SAML and provisioning capabilities, to our Azure AD.

Now, we will use another feature in Azure AD with Twitter. For this, we use the password-based Sign-In option:

  1. First, we need to add the Twitter app from the application gallery. You already know the process from Salesforce:

Adding Twitter to app catalog
  1. Next, we choose Password-based Single Sign-on mode from the Single Sign-On section.
  2. The wizard automatically sets the correct URL to Twitter:

Choosing password-based authentication option
  1. We assign the sales and marketing application access group to the application, and the provide the credentials we want to use and hide from the user:

Assigning the Twitter credentials to a group
  1. You are also able to Update Credentials on the assigned groups:

Update credentials option
  1. Now that we have configured the Twitter app for our sales and marketing users, you can test the functionality with the user over at https://myapps.microsoft.com.
  2. You should have a Single Sign-On experience.

Some applications require access to the application's access panel (https://myapps.microsoft.com). In this case, the website requires a browser extension:

  1. To configure Microsoft Edge for the access panel extension, launch your browser and navigate to https://myapps.microsoft.com
  2. Log in as a test user
  3. Click on Twitter
  4. Click Install Now
  5. Complete the installation wizard to install the My Apps Secure Sign-In Extension
  6. You get a new extension notification; click Turn it on
  7. Relaunch the browser and navigate to https://myapps.microsoft.com
  8. Log in as a test user

This is our first impression of Azure AD's capabilities. We will dive deeper in the next Chapter 8, Using Azure AD App Proxy and Web Application Proxy, and now start to configure our first applications in our ADFS infrastructure.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.248.37