identity-provider-salesforce-saml.md

title	Set up sign-in with a Salesforce SAML provider by using SAML protocol
titleSuffix	Azure AD B2C
description	Set up sign-in with a Salesforce SAML provider by using SAML protocol in Azure Active Directory B2C.
author	garrodonnell
manager	CelesteDG
ms.service	azure-active-directory
ms.topic	how-to
ms.date	09/16/2021
ms.author	godonnell
ms.subservice	b2c
zone_pivot_groups	b2c-policy-type

Set up sign-in with a Salesforce SAML provider by using SAML protocol in Azure Active Directory B2C

[!INCLUDE active-directory-b2c-end-of-sale-notice-b]

[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]

::: zone pivot="b2c-user-flow" [!INCLUDE active-directory-b2c-limited-to-custom-policy]

::: zone-end

::: zone pivot="b2c-custom-policy"

[!INCLUDE active-directory-b2c-advanced-audience-warning]

This article shows you how to enable sign-in for users from a Salesforce organization using custom policies in Azure Active Directory B2C (Azure AD B2C). You enable sign-in by adding a SAML identity provider to a custom policy.

Prerequisites

[!INCLUDE active-directory-b2c-customization-prerequisites-custom-policy]

• If you haven't already done so, sign up for a free Developer Edition account. This article uses the Salesforce Lightning Experience.
• Set up a My Domain for your Salesforce organization.

Set up Salesforce as an identity provider

1. Sign in to Salesforce.
2. On the left menu, under Settings, expand Identity, and then select Identity Provider.
3. Select Enable Identity Provider.
4. Under Select the certificate, select the certificate you want Salesforce to use to communicate with Azure AD B2C. You can use the default certificate.
5. Click Save.

Create a connected app in Salesforce

1. On the Identity Provider page, select Service Providers are now created via Connected Apps. Click here.

2. Under Basic Information, enter the required values for your connected app.

3. Under Web App Settings, check the Enable SAML box.

4. In the Entity ID field, enter the following URL. Make sure that you replace the value for your-tenant with the name of your Azure AD B2C tenant.

   https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase
   

   When using a custom domain, use the following format:

   https://your-domain-name/your-tenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase
   

5. In the ACS URL field, enter the following URL. Make sure that you replace the value for your-tenant with the name of your Azure AD B2C tenant.

   https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer
   

   When using a custom domain, use the following format:

   https://your-domain-name/your-tenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer
   

6. Scroll to the bottom of the list, and then click Save.

Get the metadata URL

1. On the overview page of your connected app, click Manage.
2. Copy the value for Metadata Discovery Endpoint, and then save it. You'll use it later in this article.

Set up Salesforce users to federate

1. On the Manage page of your connected app, click Manage Profiles.
2. Select the profiles (or groups of users) that you want to federate with Azure AD B2C. As a system administrator, select the System Administrator check box, so that you can federate by using your Salesforce account.

Create a self-signed certificate

[!INCLUDE active-directory-b2c-create-self-signed-certificate]

Create a policy key

You need to store the certificate that you created in your Azure AD B2C tenant.

1. Sign in to the Azure portal.
2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
4. On the Overview page, select Identity Experience Framework.
5. Select Policy Keys and then select Add.
6. For Options, choose Upload.
7. Enter a Name for the policy. For example, SAMLSigningCert. The prefix B2C_1A_ is automatically added to the name of your key.
8. Browse to and select the B2CSigningCert.pfx certificate that you created.
9. Enter the Password for the certificate.
10. Click Create.

Add a claims provider

If you want users to sign in using a Salesforce account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.

You can define a Salesforce account as a claims provider by adding it to the ClaimsProviders element in the extension file of your policy. For more information, see define a SAML identity provider.

1. Open the TrustFrameworkExtensions.xml.

2. Find the ClaimsProviders element. If it does not exist, add it under the root element.

3. Add a new ClaimsProvider as follows:

   <ClaimsProvider>
     <Domain>salesforce.com</Domain>
     <DisplayName>Salesforce</DisplayName>
     <TechnicalProfiles>
       <TechnicalProfile Id="Salesforce-SAML2">
         <DisplayName>Salesforce</DisplayName>
         <Description>Login with your Salesforce account</Description>
         <Protocol Name="SAML2"/>
         <Metadata>
           <Item Key="WantsEncryptedAssertions">false</Item>
           <Item Key="WantsSignedAssertions">false</Item>
           <Item Key="PartnerEntity">https://contoso-dev-ed.my.salesforce.com/.well-known/samlidp.xml</Item>
         </Metadata>
         <CryptographicKeys>
           <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
         </CryptographicKeys>
         <OutputClaims>
           <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="userId"/>
           <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
           <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name"/>
           <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/>
           <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="username"/>
           <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication"/>
           <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="salesforce.com" />
         </OutputClaims>
         <OutputClaimsTransformations>
           <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
           <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
           <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
           <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
         </OutputClaimsTransformations>
         <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp"/>
       </TechnicalProfile>
     </TechnicalProfiles>
   </ClaimsProvider>

4. Update the value of PartnerEntity with the Salesforce metadata URL you copied earlier.

5. Update the value of both instances of StorageReferenceId to the name of the key of your signing certificate. For example, B2C_1A_SAMLSigningCert.

6. Locate the <ClaimsProviders> section and add the following XML snippet. If your policy already contains the SM-Saml-idp technical profile, skip to the next step. For more information, see single sign-on session management.

   <ClaimsProvider>
     <DisplayName>Session Management</DisplayName>
     <TechnicalProfiles>
       <TechnicalProfile Id="SM-Saml-idp">
         <DisplayName>Session Management Provider</DisplayName>
         <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
         <Metadata>
           <Item Key="IncludeSessionIndex">false</Item>
           <Item Key="RegisterServiceProviders">false</Item>
         </Metadata>
       </TechnicalProfile>
     </TechnicalProfiles>
   </ClaimsProvider>

7. Save the file.

[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]

<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
  <ClaimsProviderSelections>
    ...
    <ClaimsProviderSelection TargetClaimsExchangeId="SalesforceExchange" />
  </ClaimsProviderSelections>
  ...
</OrchestrationStep>

<OrchestrationStep Order="2" Type="ClaimsExchange">
  ...
  <ClaimsExchanges>
    <ClaimsExchange Id="SalesforceExchange" TechnicalProfileReferenceId="Salesforce-SAML2" />
  </ClaimsExchanges>
</OrchestrationStep>

[!INCLUDE active-directory-b2c-configure-relying-party-policy]

Test your custom policy

1. Select your relying party policy, for example B2C_1A_signup_signin.
2. For Application, select a web application that you previously registered. The Reply URL should show https://jwt.ms.
3. Select the Run now button.
4. From the sign-up or sign-in page, select Salesforce to sign in with Salesforce account.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

::: zone-end