Scenario
The environment has below setup.
- On-premise Exchange Server (Decommissioned after migration)
- ADFS 2.0 setup with Dir Sync.
- Office 365 Tenant.
- ADFS 2.0 provides Federation for yammer and some other on premise apps.
- Write back has been enabled for DirSync.
The main SMTP domain of the client has been federated along with 6 other domains.
Application configuration as follow.
- Added the Office 365 AAD tenant to the client’s Azure subscription. This is not the default directory. Default directory is left intact.
- Added the Salesforce App and confirmed same as per below.http://social.technet.microsoft.com/wiki/contents/articles/26343.tutorial-azure-ad-integration-with-salesforce.aspx
Requirement
Users need to access salesforce by using myapps.microsoft.com without entering their salesforce credentials (Azure Federated Identity)
Issue
When a user logs in to myapps.microsoft.com and clicks SalesForce application he is redirected to the correct URL but SSO doesn’t happen. This happens for both cloud only (*.onmicrosoft.com) and on premise users.
Troubleshooting
- Configured same on a test Azure & Office 365 environment which doesn’t have ADFS. It works perfectly.
- In Salesforce cannot validate SAML response for the customer setup but in test setup SAML validation works fine.
Questions
- Is there any way we can bypass ADFS for this particular federated domain and use AAD as the authentication provider for salesforce?
- Is above possible with Azure Access Control Service?
- The organization needs ADFS to authenticate their on-premise applications. If Azure ADFS Proxy was introduced can this be addressed?
- Is there any way that we can configure federation for SalesForce on ADFS and allow the users to access it via myapps.microsoft.com?
Janaka Rangama MCT MIEEE MBCS (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable.)