function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
thilinambthilinamb 

Federated SSO integration with SalesForce

Hi,

 

I am in the process of developing a Identity Solution which supports SAML 2.0 based SSO support. After implementing it, I have exploring some Service Providers who support SSO, and I found that SF supports SAML 2.0 based SSO.

 

At the moment, my implementation only supports SP initiated SSO scenario only. After going through your previous discussions and user guides, I got some knowledge about the SF's SSO support. But I have some doubts which I would like to clarify.

 

How does SP initiated SSO works for SF ? As I understand from your docs, the Identity Provider should send a SAML Assertion containing the Attribute Statement with ssoStartpage and logoutURL first. After that, whenever a user requests a protected resource, he will be redirected to Identity Providers start page. Have I understood it correctly ? If this is the approach, users have to first send the assertion with these attribute statement from the Idp.

 

It would be really helpful, if someone can explain how SP initiated SSO works for SF. 

 

Thanks in advance.

/thilina 

 

  

crm_expertcrm_expert

Your understanding of SP initiated sso is pretty much correct,

however this:

 

http://saml.xml.org/wiki/sp-initiated-single-sign-on-postartifact-bindings 

 

is a pretty good link..

 

 

~Sumit 
thilinambthilinamb

Hi,

 

Thanks Sumit for your reply and reference. :-)

 

I am concerned on how SP initiated SSO works for SalesForce. Seems like they have a different approach than other service providers who support SSO( eg: Google Apps).

 

For SalesForce, is it required to send an assertion with an attribute statement containing ssoStartpage and logoutURL first ? As I understand, then only SF is sending the Authn Request using SAML POST binding and follow the message flow depicted in the specification. Is this complete sequence of actions required always when a user logs into SalesForce?

 

But according to the SAML 2.0 web browser specification, the SP initiated SSO message flow should start with SP sending the Authn Request to IdP.

 

Your help for figuring out this is much appreciated.

 

thanks.

/thilina 

 

 

 
sandeep.casmsandeep.casm

Even im looking to figure out the same.. 

 

Does SF Support the SP_initiated SSO

please let me know if you found the solution for the same..

 

regards

rao
strugglingWithSSOstrugglingWithSSO

Hey Guys,

 

I'm also having the same issue as you guys.. Did you ever figure this out?

 

Thanks!
kotlerkotler

Looking for the same information, anyone at SF care to respond?