Veeam Backup for Salesforce 3
User Guide
ASK LLM
Ask ChatGPT
Ask Claude
Ask Gemini
Ask Grok
Ask Perplexity
Related documents
Search

Configuring IdP and SSO Settings

Veeam Backup for Salesforce supports single sign-on (SSO) authentication using Microsoft Entra ID and Salesforce based on the OAuth 2.0 protocol. SSO authentication allows users to follow the corporate security policy and log in to Veeam Backup for Salesforce using the corporate identity provider (IdP).

Important

If you change IdP settings, all users added to Veeam Backup for Salesforce using these settings will become inactive. If you want to enable access for these users, choose the previously configured identity provider and save the settings.

 

Configuring IdP and SSO Settings

Configuring IdP Settings Using Microsoft Entra ID

To configure IdP settings using Microsoft Entra ID, you must first create an application for Veeam Backup for Salesforce on the Microsoft Identify Platform. To learn how to register an application with the Microsoft Identity Platform, see Microsoft Docs.

When creating the application, consider the following:

  • GroupMember.Read.All
  • User.Read
  • User.Read.All

Note that these permissions require consent from a Microsoft Azure administrator.

  • The redirect URI added to the application must match the management server FQDN that you use to access the Veeam Backup for Salesforce Web UI. To make sure that you are adding the correct URI, switch to the Configuration page and navigate to Security > Single Sign-On. The address will be displayed in the Callback URL field.

Configuring IdP Settings on Veeam Backup for Salesforce Side

To configure the IdP settings for a Salesforce organization on the Veeam Backup for Salesforce side, do the following:

  1. Switch to the Configuration page.
  2. Navigate to Security > Single Sign-On.
  3. Set the Enable single sign-on toggle to On.
  4. From the Identity Provider drop-down list, select Microsoft Entra ID.
  5. In the Application ID field, provide the Application ID of the registered application. You can find the ID on the app registration Overview pane on the Microsoft Identify Platform.
  6. In the Directory ID field, specify the Directory ID of the registered application. You can find the ID on the app registration Overview pane on the Microsoft Identify Platform.
  7. In the Client secret field, enter the value of a client secret created in the specified application.

Keep in mind that you can see and copy a client secret value only when creating it. Otherwise, you will not be able to retrieve the value. To learn how to create client secrets, see Microsoft Docs.

  1. Click Save. You will be redirected to the Microsoft authentication page. Enter the credentials of the Microsoft user and log in to the application. Grant admin consent to the application if required. To learn how to do that, see Microsoft Docs.

As soon as the IdP settings are successfully configured, you can start adding users to Veeam Backup for Salesforce. Consider that the Veeam Backup for Salesforce session timeout is 60 minutes. If the session is expired, you must log in to Veeam Backup for Salesforce using the local administrator credentials once again, and continue adding users for the next 60 minutes.

 

Configuring IdP and SSO

Configuring IdP Settings Using Salesforce

You can configure Salesforce as an OpenID Connect identity provider that will allow users of your Salesforce organization to log in to Veeam Backup for Salesforce. For more information, see Salesforce Documentation.

To be able to use Salesforce as an identity provider, you must grant the access unique user identifiers (openid) OAuth scope to the external client app used to authorize access to the connected Salesforce organization. For more information on the OAuth scopes, see Salesforce Documentation.

Note

If you have an allowlist for external client apps configured in Salesforce, make sure that the product is included in that list and users are granted access to the Veeam Backup for Salesforce external client app. For more information, see Salesforce Documentation.

Configuring IdP Settings on Veeam Backup for Salesforce Side

To configure the IdP settings for a Salesforce organization on the Veeam Backup for Salesforce side, do the following:

  1. Switch to the Configuration page.
  2. Navigate to Security > Single Sign-On.
  3. Set the Enable single sign-on toggle to On.
  4. From the Identity Provider drop-down list, select the necessary Salesforce organization.
  5. Click Save. You will be redirected to the Salesforce authentication page.

On the Salesforce authentication page, enter credentials of the Salesforce user and click Log in. The specified user must be granted permissions to read user data.

As soon as the IdP settings are successfully configured, you can start adding users to Veeam Backup for Salesforce. Consider that the Veeam Backup for Salesforce session time out is 60 minutes. If the session is expired, you must log in to Veeam Backup for Salesforce using the local administrator credentials once again, and continue adding users for the next 60 minutes.

Important

  • You can configure Salesforce as an identity provider for one organization only. Note that only users of this organization will be able to log in to Veeam Backup for Salesforce using SSO.
  • If you configure a Salesforce organization as an identity provider, do not use the integration user account to sign in to Veeam Backup for Salesforce as it will cause the backup session token to expire after 5 login attempts. Backup jobs will fail with the expired Salesforce token message because the authorization token is revoked by Salesforce. You will have to reauthorize the connection to the Salesforce organization.

 

Configuring IdP and SSO

Page updated 4/13/2026

Page content applies to build 3.2.0.3957

View all results across Veeam Help Center
Back to document search