function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

SSO with Salesforce as Identity Provider and Portal users

HI All,


We are using Salesforce as IdP and we enabled also the Single Sign-on settings in Salesforce. Now we want to use Heroku and Play! to access Salesforce and the Play! application is the service provider.


This all works fine when using an internal salesforce user, but we want to use this functionality with a customer portal user but how can we manage that.


I found a doc where it states that we need to add the portal_id and the organization_id to the saml assertion but we only have a saml request and the saml assertion comes from the identity provider i think.


Help would be appreciated.


thx Sven


IDP Initiated SAML is the easiest mechanism for supporting this.   It will just work if the user is signed in.


If you need to use SP-Initiated SAML, this needs to be exposed through a Site.   I'd still use IDP initiated SAML, as true SP-Initated SAML only works for logged in Site users until our Winter Release.




Can you provide a bit more detail about how we can use a site to get SP initiated SAML to work? I am thinking it as something to do with having the SP redirect to an unauth sites page (instead of that standard SP inititated SAML url), somehow passing a relaystate, then using the sites page to do IdP initited SAML with that relaystate.


Am I on the right track there?




(also in your post where you wrote: "... true SP-Initated SAML only works for logged in Site users until our Winter Release.", did you mean for standard non-portal users?)


That's right - you basically can redirect a user to an IDP intiaited endpoint - it basically allows you to achieve the same things as IDP init.


If you search Help and Training there is an example login controller that does a direct and sends RelayState


Thanks Chuck - can't seem to find the example controller - if you have the link handy please send it, otherwise no worries I'll take a crack at it


Thanks Chuck - not exactly what I was looking for but helpful - I actually need the SFDC site to be the IdP here and function in a SP initiated flow. So a deeplink/bookmark to the SP should redirect to the SFDC site, prompt login & redirect to the initially requested SP target.


Here is what I came up with...


My SFDC site has an unauthenticed VF page to intercept the SAML request, grab the relay state & initate IdP initated SSO with the relay state. The SP just needs to be configured to point to that VF page to initiate the flow.


This is what the VF controller & page look like - I tested with 2 SFDC orgs & it works - is this the right way to do this?


 * Controller to enable SP initated SSO using a SFDC site as IdP
global class RelayStateController {

    global String username {get; set;}
    global String password {get; set;}
//  Format the IdP init URL
//  ---------------------------------------------------------------------------------------------    
    public String relaystate = System.currentPageReference().getParameters().get('RelayState');
    public String getRelayurl(){           
        String relaystring = '';
        if(relaystate != null){
                String idpStart = '/idp/login?app=0spE0000000GmgD'; // IdP initated URL provided by SFDC
                String relaysubstr = relaystate.substring(1,relaystate.length());  // remove prepended slash
                relaystring = idpStart+'&RelayState='+relaysubstr; // add the relay state
            } catch(exception x){
        return relaystring;

//  Login & set start URL to start the IdP initiated SSO with the relay state
//  --------------------------------------------------------------------------------------------- 
    global PageReference login() {        
            return Site.login(username, password, getRelayurl());
        } catch (Exception x){
        return null;
    global RelayStateController () {}

<apex:page showHeader="false" sidebar="false" controller="RelayStateController">
Relay State: {!$CurrentPage.parameters.RelayState}<br/>
Relay URL: {!relayURL}
  <apex:form id="loginForm" forceSSL="true">
    <apex:outputPanel layout="block">
      <apex:pageMessages id="error"/>
      <apex:panelGrid columns="2" style="margin-top:1em;">
        <apex:outputLabel value="{!$}" for="username"/>
        <apex:inputText id="username" value="{!username}"/>
        <apex:outputLabel value="{!$}" for="password"/>
        <apex:inputSecret id="password" value="{!password}"/>
        <apex:outputText value=""/>
        <apex:commandButton action="{!login}" value="{!$}" id="loginButton"/>
        <apex:outputText value=""/>
        <apex:outputText value=""/>
        <apex:outputText value=""/>
        <apex:panelGroup id="theLinks">
          <apex:outputLink value="{!$Page.ForgotPassword}"> {!$}</apex:outputLink>
          <apex:outputText value=" | " rendered="{!$Site.RegistrationEnabled}" />
          <apex:outputLink value="{!$Page.SiteRegister}" rendered="{!$Site.RegistrationEnabled}">{!$}</apex:outputLink>






That's the right way to do it with a Site.   Our new Communities Pilot makes this more straighfroward, but you're doing the right thing for now.


Sorry to jump in, but am I understanding that Salesforce can now serve as an identify provider for customer portal users?


That's correct.   Best when exposed through a Site


I am trying to do the same thing ... where is this located, the app ID.  Are you creating a new Service Provider?


 String idpStart = '/idp/login?app=0spE0000000GmgD'; // IdP initated URL provided by SFDC


Yes its provided automatically in the SP detail page when you create a new SP.


Thank you for the quick response.  I have been searching everywhere for a solution.  If you don't mind I'd like to recap what we are trying to do to make sure it is the same.


Right now I have Idp setup and I have a Service Provider setup for Google Mail.  It works as expected, the user goes to google and they get redirected back to the Issuer URL, they login and are sent to gmail.  If the user logs in to SFDC using the issuer url and they click a gmail link inside of Salesforce they pass right into google already logged in.


I have portal users who this doesn't work for.  So based on this solution I would create a login page as you have posted and then direct all user to that page to login and it will handle if they are portal or not or is this only for portal users to login.  For the google example would I alter the Sign in page url from the ttps:// to the page created?


Sorry for so many questions, trying to wrap my head around this.  I appreciate it.


I know this posting is old, but just wondering if it works since I have a related requirement.


I assume this controller and page are on the IDP org and where Sites is enabled.

And the SP in this case from what I've read is a Portal (with Sites).


What is the configuration on the SP to point to the VF on the IDP - is it simply a VF set up as the SP Sites Active Home Page

that does nothing but redirect to the VF on the IDP?


Apologies, but a bit confused on what this entails.



Instead of making the redirect the Active Home Page, I'd put the redirect logic in your Un-Authorized controller, or Login page for the SP


Hi all,


I want to allow users to login to gmail with salesforce credential, ie i want them to be redirect on click of a link or a tab, can some one please help me how to achieve this.




If you look in Help and Training, you'll find an example in the SAML Identity Provider help on how to setup SSO for Google Apps.    We should have a video posted on your youtube channels in 1 week as well.

Alex RothAlex Roth
Hey All,

I know this is old now, but has anyone managed to set this up using Communities? Does anyone know if a Community can function as an IDP?

We are trying to get SP initiated flow with Parter Community User accounts acting as the identity.  So far the documentation has been very thin regarding Community SSO setup as the IDP, though I imagine it is possible given the deprecation of sites.

@jhenny, did you ever get this figured out?
Alexander BernsteinAlexander Bernstein
Hi all,

I have a very similar problem to JHenny's. But from my understanding the answers already given will not work:

I have customer portal users which want to click a link in the portal that takes them to a third party system. They are already authenticated themselves so I don't want to put another login form in front of them because the other system can use SSO and the SF-Org is configured as IDP. 

So is there an easy way to do the Code Example here, without having to prompt the user another login interface?

john senjohn sen
Hi Jhenny,
I am also trying to adopt the approach which you have taken for salesforce as IDP.

But can you please tell me, where to configure VF page so that it will be redirected by service provider.

How it's flow actual work?

jackie rodwelljackie rodwell
Hi Chuck,

Just wanted to understand more on this front. We have setup Salesforce as ID-P and Biller Direct (SAP Product) as Service Provider. We are placing our "ID-p Initiated Login URL" in our customer portals and it is failing to do an SSO to Biller Direct. Can anyone suggest me what am I missing here ?

Appreciate your help.

Akhil ReddyAkhil Reddy
I think the following soultion would be ideal:
  1. IdP should be enabled in salesforce org which should give x509 certificate
  2. The x509 will be consumed by external app (service provider is this case: Play) and provides 
    Entity Id, ACS URL and Subject type to be specified in connected app
  3. Setup Connected app in salesforce using given Entity Id, ACS URL and Subject type from the Service Provider.
  4. Salesforce will generate distinctive IdP-Initiated Login URLs salesforce instance as well as for communities available
  5. Enable communities and assign specific profile for targeted external users
  6. Develop custom vf page and call login api where external user will be logged and pass specific string generated in custom app (/communityurlschema/idp/login?app=*********) as 3rd paramater.
  7. String should be relative url. And it can use app parameter or apiname parameter which can be retrived from the custom settings or metadata for more control.
  8. System will generate the SAML for the loged in user based on connected app values and redirect user to ACS URL will SAML assertions