Windows Azure AD SAML与Salesforce的集成是否支持服务提供商发起的SSO?
[英]Does the Windows Azure AD SAML integration with Salesforce support Service Provider-initiated SSO?
问题描述
I have successfully set up SSO integration between Azure AD and Salesforce as described in this article . 
如本文所述,我已经成功在Azure AD和Salesforce之间建立了SSO集成。
With this configuration, users must know to go to the Azure AD access panel in order to log in to Salesforce. 使用此配置,用户必须知道要转到Azure AD访问面板才能登录到Salesforce。 This appears to be standard Identity Provider-initiated SSO using SAML. 这似乎是使用SAML的标准身份提供商发起的SSO。
I'd like to use Service Provider-initiated SSO with Azure AD instead. 我想将服务提供商发起的SSO与Azure AD结合使用。 I'd like users to be able to open a deep-linked Salesforce URL, be redirected to the Azure AD login page, and then be redirected back to the originally requested URL. 我希望用户能够打开一个深链接的Salesforce URL,被重定向到Azure AD登录页面,然后被重定向回最初请求的URL。 Is this possible? 这可能吗?
2 个解决方案
解决方案1
3 已采纳 2014-02-18 19:27:11
I have confirmed with Microsoft that Windows Azure AD does not support a SP-initiated SAML flow for Salesforce. 我已与Microsoft确认Windows Azure AD不支持Salesforce的SP发起的SAML流程。 All access must be initiated from the Azure AD access panel. 必须从Azure AD访问面板启动所有访问。
Microsoft is working to address this in the future. Microsoft正在努力解决此问题。
解决方案2
1 2015-01-11 03:16:07
We set this up today and Salesforce Initiated SSO with Azure AD authentication works. 我们今天进行了设置,具有Azure AD身份验证的Salesforce发起的SSO可以工作。
Notes/Caveats to any Salesforce SAML / SSO Authentication: 任何Salesforce SAML / SSO身份验证的注释/注意事项:
You will have to setup a custom salesforce domain: eg. 您将必须设置自定义salesforce域:例如。 yourdomain.my.salesforce.com yourdomain.my.salesforce.com
Then, users will need to be trained to go there to login, and click "Azure SSO" button instead of entering salesforce credentials. 然后,将需要培训用户去那里登录,然后单击“ Azure SSO”按钮,而不是输入salesforce凭据。
Alternatively, users can continue going to salesforce.com proper, but will have to click "login to a custom domain" and then enter the domain name manually, which also constitutes retraining and which is harder. 另外,用户可以继续正常访问salesforce.com,但必须单击“登录到自定义域”,然后手动输入域名,这也构成了重新培训,并且难度更大。
You have the global choice of letting "Salesforce Passwords" co-exist with SAML / SSO auth. 您可以选择让“ Salesforce密码”与SAML / SSO身份验证共存。 You have to leave this enabled if you use anything that integrates with Salesforce like DBSync stuff. 如果您使用任何与Salesforce集成的东西(如DBSync之类的东西),则必须保持启用状态。 This is because you will have to use an admin/user account in salesforce for the integration which is not great. 这是因为您将不得不在Salesforce中使用管理员/用户帐户来进行集成,但这并不是很好。 A dedicated service account system for integration should exist by now, but that's another discussion. 到现在应该有一个专门的服务帐户系统集成,但这是另一个讨论。
Note: Logins were actually much faster using Azure AD auth... go figure. 注意:使用Azure AD身份验证实际上要快得多。
The setup and behavior of Salesforce "Client Apps" like Chatter Desktop, Salesforce1 Mobile App, Outlook Apps, Etc., will change a bit. 诸如Chatter Desktop,Salesforce1 Mobile App,Outlook Apps等之类的Salesforce“客户端应用程序”的设置和行为将有所变化。 We were able to figure them all out pretty easily, but new documentation will be required for organizations that provide tutorials to employees. 我们能够很容易地弄清楚它们的全部,但是向向员工提供教程的组织将需要新的文档。 Users have to logout on their phones, enter the new domain manually... all requires documentation. 用户必须注销手机,手动输入新域...所有都需要文档。
Setting up smooth user provisioning is fairly complex and requires a lot of configuration on the Azure AD side. 设置流畅的用户配置非常复杂,并且需要在Azure AD端进行大量配置。 Involves matching attributes between the systems, defining licenses, etc. 涉及系统之间的匹配属性,定义许可证等。
Finally, you're building a new non-trivial dependency between two cloud systems into your environment. 最后,您要在环境中的两个云系统之间建立新的重要关系。 In case you hadn't thought about it... it's significant. 如果您没有考虑过……那很重要。
Overall, we're extremely happy about the integration. 总体而言,我们对集成感到非常高兴。 It's awesome for us and seems to be fast. 对我们来说真棒,而且速度很快。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.