function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Dean BostedorDean Bostedor 

Azure AD and Communities

Error when authenticating to community site using SAML/Azure AD:  The reply address 'https://company2.force.com/login?so=00D41000001i0oF' does not match the reply addresses configured for the application: 'https://company1.my.salesforce.com'.
Hello,

We have recently implemented Azure AD single sign on for Salesforce in both our production and test environments.  This seems to work great.  However, there does not seem to be a way to add additional reply URL's so that we can authenticate to our "Salesforce Communities".  Our Salesforce URL for our main site is "https://companyname.my.salesforce.com/".  Our "Community" domain sign in URL is "https://companyname2.force.com/login".  

In the Azure, we've added the salesforce "application from the gallery".  When we go to configure the application, we see a section for adding a reply URL but are forced to use a convention that meets the "https://example.my.salesforce.com" standard.  
Has anyone else implemented salesforce SSO with more than one domain?  How do you add additional URLs?
We've looked at the following guides but some seem to be outdated or don't include instructions to add additional reply URLs for SAML to include additional URLs for Salesforce Community domains.
Guide from Microsoft Documentation for SAML, Azure AD, and Salesforce (note: no information about adding additional "Reply URLs for "Communities"):
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-salesforce-tutorial
Guide on Salesforce developer site using Open ID Connect and Azure AD (note: this includes information about implementing communities but hasn't been updated since Oct 2015 and seems to be missing steps or has out of date information.  Also, no user provisioning steps):
https://developer.salesforce.com/page/Login_with_Azure_AD
TechNet article for integrating SAML/Azure AD with Salesforce Sandbox (note: nothing about adding additonal reply URLs for communities.):
https://social.technet.microsoft.com/wiki/contents/articles/32146.azure-active-directory-integration-with-salesforce-sandbox.aspx

Also, we've tried to use OAuth and OpenID Connect with Azure using this guide:

https://developer.salesforce.com/page/Login_with_Azure_AD#Test_Connection_with_Azure_AD

The OAuth and OpenID connect does not work following those instructions and I believe it has something to do with the Reg handler or possibly Azure AD endpoints changing.  Specifically, the Authorize, Token, and Profile Endpoint URLs don't seem to be the same anymore as seen when you click the "endpoints" in Azure AD for the application.  There isn't even a "profile endpoint" available but instead a "graph API endpoint".. So, instead of using https://login.windows.net/common/openid/userinfo, I'm guessing more code has to be written on Salesforce's end to work with https://graph.windows.net.

 

Any insight into these things would be greatly appreciated.

Thanks,
Dean

Richard Clarke (Artisan)Richard Clarke (Artisan)
I have this working by setting up multiple auth providers, one for my domain and one for a community

AD URLs are 

authorization_endpoint: https://login.microsoftonline.com/{tenant}/oauth2/authorize
token_endpoint: https://login.microsoftonline.com/{tenant}/oauth2/token
end_session_endpoint: https://login.microsoftonline.com/{tenant}/oauth2/logout
issuer: https://sts.windows.net/{tenant}/
userinfo_endpoint: https://login.microsoftonline.com/{tenant}/openid/userinfo

The only remaining challenge in my case is the user info profile does not include an email address and without that self registration is impossible

Richard
IT Administrator 54IT Administrator 54
Richard's answer got me going in the right direction!
But I also cannot get email addresses to be included in the userdata that comes back from Azure.
I've set default scopes to 'openid email profile' and set required permissions in azure up to User.Read.All.

Has anyone had any luck getting this information from azure?