Azure Entra ID SSO

Azure Entra ID, formerly Azure Active Directory (Azure AD), is a cloud-based identity and access management (IAM) service that manages identities and permissions across cloud and on-premises environments. This guide explains how to configure SAML for Cloudaware in a customer’s Azure Enterprise Application and set up SSO.

Setup in Azure

Sign in to the Azure Portal. Navigate to Enterprise Applications -> + New Application.
Search for the Salesforce App in the Microsoft Entra Gallery. Enter a name for your app and select Create.
In the app’s ‘Overview’ section, select Set up single sign-on and click Get started.
Choose SAML as the single sign-on method.
Specify the following values in Basic SAML Configuration:
1. Identifier (Entity ID):
  https://<your_cloudaware_domain>.my.salesforce.com – this is part of the Cloudaware instance’s web address. The <your_cloudaware_domain> placeholder represents the unique Cloudaware instance ID
2. Reply URL (Assertion Consumer Service URL):
  https://<your_cloudaware_domain>.my.salesforce.com – this is part of the Cloudaware instance’s web address. The <your_cloudaware_domain> placeholder represents the unique Cloudaware instance ID
3. Sign-on URL:
  https://<your_cloudaware_domain>.lightning.force.com/CA10UI/lca.app – this is part of the Cloudaware instance’s web address. The <your_cloudaware_domain> placeholder represents the unique Cloudaware instance ID
Select Save.

Attributes & Claims:
By default, the Unique User Identifier (Name ID) is set to the user.userprincipalname Entra ID attribute. Adjust the value format if needed.

If required, enable JIT provisioning in Cloudaware by creating the following claims in the Additional claims section:

User.Username: Cloudaware runs on Salesforce, where usernames must be globally unique. Use the Join() transformation to specify the attribute value. For example:
cloudaware-<user_email>
User.FirstName: user.givenname
User.LastName: user.surname
User.ProfileId: Must match one of the Cloudaware profile names (for example, CloudAware Administrator, CloudAware User).

You can use claim conditions to assign the attribute value based on group membership. For example, if the user belongs to the Admins group → set to CloudAware Administrator.

User.Email: user.email
User.IsActive (Optional): If automation is in place to deactivate users in Cloudaware after a defined period of inactivity (no logins), this attribute statement can be added and set to true. Doing so ensures that a deactivated user is reactivated and able to log in.
Assign users or groups to the app.

When assigning an individual user, you will be prompted to select a role. Choose any role – the selection does not affect the actual Cloudaware role or profile.

Download and save the Federation Metadata XML file. You can find it in the ‘Single sign-on’ section of your app.

Setup in Cloudaware

Log in to Cloudaware → Setup.
Type Single in the Quick Find bar. Under Identity, select Single Sign-On Settings. Ensure that the SAML Enabled checkbox is checked.

Otherwise, click Edit, check the box and save the changes.

By default, the Federation ID required for SSO setup is case-sensitive. If required, make the setting case-insensitive by selecting the Make Federation ID case-insensitive checkbox:
Create a new SSO setting. Click New from Metadata File, upload the XML file from Azure Entra ID, and click Create.
Configure SAML Single Sign-On settings:
- Set the SSO setting name and API name.
- Choose SAML Identity Type.
- If required, enable Just-in-time^* User Provisioning and choose Standard for User Provisioning Type.
  ^*JIT requires selecting Assertion contains the Federation ID from the User Object as the SAML Identity Type.
  
  Click Save.
Configure Azure Entra as an authentication service. Type My domain in the Quick Find bar. Select My Domain. Scroll down to the Authentication Configuration section and click Edit.

Select the checkbox near the name of the recently created SSO configuration (in this example, Entra):

Click Save.