Using ODBC with Salesforce and Azure Active Directory (AD) Single Sign On (SSO)

This blog describes how to get an ODBC connection to a Salesforce instance that has been integrated with Azure AD.

The Salesforce ODBC driver has been tested with a Salesforce / Azure environment that was set up by following this Microsoft tutorial:

Azure AD Setup Notes
  1. Setting up Azure AD with Salesforce involves the creation of a Salesforce user that corresponds with the Azure AD user. Although you don't create this user manually, you need to ensure that you are not already at the Salesforce user limit. For example, if your Salesforce user limit is 10, and you already have 10 users, the Azure AD Salesforce integration will not be set up correctly because Azure AD will not be able to create the Salesforce user.
  2. When setting up Azure AD with Salesforce, we recommend temporarily unchecking Login Form in the Salesforce backend under Administration Setup > Domain Management > My Domain > Authentication Configuration > Edit. This will make it clear whether there's a problem with your Azure SSO setup, when you use the Test single sign-on with Salesforce facility in Azure AD.

Using the Easysoft Salesforce ODBC Driver with Azure AD SSO

After you have set up Salesforce SSO in Azure, you need to create an application that has user_impersonation on the Salesforce App:

  1. In the Azure Portal, register a new application in App Registrations. Choose Accounts in this organizational directory only. Choose Register.
  2. Copy the Application (client) ID, you will need this to create a Salesforce ODBC data source.
  3. Choose Certificates > secrets. Choose New client secret. Choose an expiry date and then choose Add.
  4. Copy the client secret value, you will need this to create a Salesforce ODBC data source.
  5. Choose API permissions. Choose Add a Permission, and then choose APIs my organization uses > Salesforce > user_impersonation. Choose Add permissions.
  6. In Azure > Home > Enterprise applications, choose your new application. In Users and groups, add the Azure user that you want to be able to access Salesforce.

Install and license the Salesforce ODBC driver.

Complete the Salesforce ODBC data source configuration dialog box as follows:

Use Oauth SSO Azure
Consumer Key The Application (client) ID. This is located in the Azure Portal under Home > App registrations > application_name, where application_name is the Azure application you created with Salesforce user_impersonation permission (see the notes earlier in this blog).
Consumer Secret The Application (client) ID client secret. If you didn't create a copy of the client secret when you created the application, generate another one in Azure > Home > App registrations > application_name > Certificates & secrets.
SSO Resource The Salesforce My Domain URL. For example:


where salesforce_domain_name is the value shown in Azure > Home > Enterprise Applications > Salesforce > Single Sign-on > Basic SAML Configuration > Identifier (Entity ID).

SSO Tenant The Azure AD Tenant ID. This is located in Azure > Home > Azure Active Directory > Overview.
SSO Token URL The Salesforce OAuth 2.0 Token Endpoint. This is located in the Salesforce backend under Setup > Security Controls > Single Sign-On Settings > SAML Single Sign-On Settings > Azure AD SSO > OAuth 2.0 Token Endpoint. (Click the Azure AD SSO link, not the nearby Edit button.)

When you have completed the fields, choose Authenticate and obtain token.