Microsoft Dynamics CRM WS-Fed Single Sign-On (SSO)

Microsoft Dynamics CRM offers both IdP-initiated SSO (for SSO access through the CyberArk Identity User Portal) and SP-initiated SSO (for SSO access directly through the Microsoft Dynamics CRM web application). The following is an overview of the steps required to configure the Microsoft Dynamics CRM Web application for single sign-on (SSO) via WS-Federation (Web Services Federation).

  1. Prepare for Microsoft Dynamics CRM single sign-on (see Microsoft Dynamics CRM requirements for SSO).

  2. In the Admin Portal, add the application and configure application settings.

    Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configure Microsoft Dynamics CRM in the Admin Portal.

  3. Configure the Microsoft Dynamics CRM application for single sign-on.

    To configure Microsoft Dynamics CRM for SSO, copy the ADFS Metadata URL to the Microsoft Dynamics CRM Deployment Manager and complete the configuration. For details, see Configure Microsoft Dynamics CRM for SSO.

    After you are done configuring the application settings in the Admin Portal and the Microsoft Dynamics CRM application, users are ready to launch the application from the CyberArk Identity User Portal.

Microsoft Dynamics CRM requirements for SSO

Before you configure the Microsoft Dynamics CRM web application for SSO, you need the following:

  • An active Microsoft Dynamics CRM account with administrator rights for your organization.

  • A signed certificate.

  • You need a certificate with a private key embedded in .pfx or .p12 format. This certificate must then be uploaded to the Application Settings in the Admin Portal.

Internet-facing deployment (IFD)

To make Microsoft Dynamics CRM web application available to users connecting from the Internet, you need to configure an Internet-facing deployment (IFD) and enable external claims access. To do this, see the following:

https://technet.microsoft.com/en-us/library/gg188602.aspx

What you need to know about Microsoft Dynamics CRM

Each application is different. The following table lists features and functionality specific to Microsoft Dynamics CRM.

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

Yes

 

SP-initiated SSO

Yes

Users may go directly to theMicrosoft Dynamics CRM URL and then use the CyberArk Identity SSO to authenticate.

IdP-initiated SSO

Yes

Users may use SSO to log in to Microsoft Dynamics CRM through the CyberArk Identity User Portal.

Force user login via SSO only

Yes

 

Separate administrator login
after SSO is enabled

No

 

User or Administrator account lockout risk

Yes

There is a risk of being locked out of your account if users are forced to log in using SSO only. If a lockout occurs, you may need to disable SSO temporarily to bypass the lockout.

Automatic user provisioning

No

 

Multiple User types

Yes

See Microsoft Dynamics CRM documentation for details.

Self-service password

No

 

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Configure Microsoft Dynamics CRM in the Admin Portal

Configure Microsoft Dynamics CRM for SSO

Make sure you have the ADFS Metadata URL from the Application Settings page in the Admin Portal.

For more information about Microsoft Dynamics CRM

For more information about configuring Microsoft Dynamics CRM for SSO, see https://technet.microsoft.com/en-us/library/dn920270.aspx.

Session lost when browser cookies are cleared

If a user is logged in to the Microsoft Dynamics CRM application and then manually clears browser cookies, the session with the Microsoft Dynamics CRM application is lost (an Authentication Required window is displayed requesting password credentials). This is the result of the Microsoft Dynamics CRM web client calls to the web service. To redirect to CyberArk, you must click any link on the Microsoft Dynamics CRM web page. Clicking Cancel or OK after entering CyberArk password credentials in the Authentication Required window, does not restore the session.