Configuring IdP and SSO Settings
Veeam Backup for Salesforce supports single sign-on (SSO) authentication using Microsoft Entra ID and Salesforce based on the OAuth 2.0 protocol. SSO authentication allows users to follow the corporate security policy and log in to Veeam Backup for Salesforce using the corporate identity provider (IdP).
Important |
If you change IdP settings, all users added to Veeam Backup for Salesforce using these settings will become inactive. If you want to enable access for these users, choose the previously configured identity provider and save the settings. |
Configuring IdP Settings Using Microsoft Entra ID
To configure IdP settings using Microsoft Entra ID, you must first create an application for Veeam Backup for Salesforce on the Microsoft Identify Platform. To learn how to register an application with the Microsoft Identity Platform, see Microsoft Docs.
When creating the application, consider the following:
- The following API permissions must be granted to the application:
- GroupMember.Read.All
- User.Read
- User.Read.All
- The redirect URI added to the application must match the management server FQDN that you use to access the Veeam Backup for Salesforce Web UI. To make sure that you are adding the correct URI, switch to the Configuration page and navigate to Security > Single Sign-On. The address will be displayed in the Callback URL field.
Configuring IdP Settings on Veeam Backup for Salesforce Side
To configure the IdP settings on the Veeam Backup for Salesforce side, do the following:
- Switch to the Configuration page.
- Navigate to Security > Single Sign-On.
- Set the Enable single sign-on toggle to On.
- From the Identity Provider drop-down list, select Microsoft Entra ID.
- In the Application ID field, provide the Application ID of the registered application. You can find the ID on the app registration Overview pane on the Microsoft Identify Platform.
- In the Directory ID field, specify the Directory ID of the registered application. You can find the ID on the app registration Overview pane on the Microsoft Identify Platform.
- In the Client secret field, enter the value of a client secret created in the specified application.
Keep in mind that you can see and copy a client secret value only when creating it. Otherwise, you will not be able to retrieve the value. To learn how to create client secrets, see Microsoft Docs.
- Click Save. You will be redirected to the Microsoft authentication page. Enter the credentials of the Microsoft user and log in to the application. Grant admin consent to the application if required. To learn how to do that, see Microsoft Docs.
As soon as the IdP settings are successfully configured, you can start adding users to Veeam Backup for Salesforce. Consider that the Veeam Backup for Salesforce session timeout is 60 minutes. If the session is expired, you must log in to Veeam Backup for Salesforce using the local administrator credentials once again, and continue adding users for the next 60 minutes.
Configuring IdP Settings Using Salesforce
You can configure Salesforce as an OpenID Connect identity provider that will allow users of your Salesforce organizations to log in to Veeam Backup for Salesforce. For more information, see Salesforce Documentation.
To be able to use Salesforce as an identity provider, you must grant the access unique user identifiers (openid) OAuth scope to the Connected App used to authorize access to all Salesforce organizations protected by this Veeam Backup for Salesforce installation. For more information on the Connected App, see Changing Connected App Tokens.
Note |
If you have an allowlist for Connected Apps configured in Salesforce, make sure that the product is included in that list and users are granted access to the Veeam Backup for Salesforce Connected App. For more information, see Salesforce Documentation. |
Configuring IdP Settings on Veeam Backup for Salesforce Side
To configure the IdP settings on the Veeam Backup for Salesforce side, do the following:
- Switch to the Configuration page.
- Navigate to Security > Single Sign-On.
- Set the Enable single sign-on toggle to On.
- From the Identity Provider drop-down list, select Salesforce.
- From the Login domain field, choose one of the following:
- If you want to authorize users of Salesforce production organizations only, select Production.
- If you want to authorize users of Salesforce sandbox organizations only, select Sandbox.
- If you want to authorize users of a specific Salesforce organization hosted on a custom domain, select Custom.
If you select the Custom option, you must also specify the organization domain name.
- Click Save. You will be redirected to the Salesforce authentication webpage.
On the Salesforce authentication webpage, enter credentials of the Salesforce user and click Log in. The specified user must be granted permissions to read user data.
As soon as the IdP settings are successfully configured, you can start adding users to Veeam Backup for Salesforce. Consider that the Veeam Backup for Salesforce session time out is 60 minutes. If the session is expired, you must log in to Veeam Backup for Salesforce using the local administrator credentials once again, and continue adding users for the next 60 minutes.
Important |
If you enabled a Salesforce organization as an identity provider, do not use the integration user account to sign in to Veeam Backup for Salesforce as it will cause the backup session token to expire after 5 login attempts. Backup jobs will fail with the expired Salesforce token message because the authorization token is revoked by Salesforce. You will have to reauthorize the connection to the Salesforce organization. |