function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
sandeep.casmsandeep.casm 

SSO Federated Authentication Help needed

Hi, 

We are trying to implement the SSO using the Federated authentication (SAML)

I have following implementation Questions:

1) Using the Federated Authentication.. i have enabled all that needs to be done on Salesforce security setup option for SSO settings.. Now How can i restrict the users not to login using the regular process.

2)How can have the Per user basis SSO enabled , i see from the documentation that this kind of feature can be enabled by having a profile  with the "Is Single Sign-on" permission  feature available in Delegated SSO.

is there any thing of that sort in Federated Authentication.?

3)All of the documentation in salesforce official documentation states of enabling SSO, related to Idp Initiated SSO. what about SP-initiated SSO.. Is there somewhere  where i can get the SP-Initiated SSO documentation.. ?

If so .. (how do i have the users redirect to my login page when a user uses a bookmarked URL or where is the configuration in salesforce account where i can set up the URL for my Login page.)?

 

Would greatly appreciate your feed on the above Questions , as of now we are behind the scheduled delivery date with SSO setup with salesforce.. ??

 

Gracias,

Rao

 

chuckmortimorechuckmortimore

1) At the moment, you must either set their password to an unknown value, or setup a delegated authentication endpoint that prevents this.   In a future release, you'll be able to prevent this using the new "My Domains" feature and preventing people from directly logging in.   Should be Winter in plan holds.

 

2) Per profile controls are only for Delegated Authentication.   This does not exist for Federated / SAML

 

3) If you read through the SAML documentation, you'll find information about special attributes to pass in your SAML assertions.   If you pass an attribute called "ssoStartPage" we'll use it's value as your AssertionConsumerService URL for SP initiated, and send it SAML 2 Authn Requests.   Note that you need to perform IDP initiated at least once in order to pass this parameter to us.    After we've seen it once, SP initiated will just work.     In a future release, you'll be able to use the "My Domains" feature in order to tie SP initiated SSO to your domain directly.   Should be in Winter if plan holds.