I posted this under another long thread which probably is buried some where. No responses there, so posting here again-

The way SP initiated SSO is currently supported in SFDC, it will only work if there was IdP initiated SSO once. My requirement needs SP initiated SSO and we can't do IdP initiated even once. "My Domain" feature would have addressed my need but I guess its not going to be available till winter release (anyone knows the date?)

My question is- Shouldn't SP initiated SSO work seamlessly with Sites given that a site uses custom domain? I haven't tried but based on other posts here, looks like it doesn't. So, is there any solution to make SP initiated SSO work (without IdP initiated once)?

I came across this in the help-

<apex:page showHeader="false" sidebar="false">
 <script>
     var PingSpURL = "https://my.pingserver.com:9031/idp/startSSO.ping?PartnerSpId=salesforce.com.sp";
     var siteLoginPage = "&TargetResource={!$Site.CurrentSiteUrl}siteLogin?startUrl={!$Site.OriginalUrl}";
     window.location = PingSpURL+siteLoginPage;
 </script>
</apex:page>

Where does this page go? Does it need to be the error page on Sites?

Or what if I set the cookies required for SSO from the visualforce pages the user hits first? Will that kick off SSO?

A few other questions-

1. When SAML is enabled in Single Sign-On settings, does it apply to all users including Sites/Customer portal users? Is it possible to have SAML apply to only a set of users, and how?

2. Is it possible to have Delegated SSO for regular users and SAML SSO for Sites/portal users?

Thanks in advance.