You need to sign in to do that
Don't have an account?
![77 77](https://dfc-org-production.my.site.com/img/userprofile/default_profile_45_v2.png)
SP initiated SSO where salesforce acts as IDP
Is it possible to achieve SP initiated SSO where salesforce acts as IDP.
Note : User does not have to login into SP .
I have tried 1-1 mapping scenario and it is working in my case.
But I need information on "how to achieve SSO when user does not have identities at SP" . I am getting below exception:
saml authentication2.0 failed with message as "IDP provided a name identifier that could not be mapped to valid principal at SP .
Are there any known limitations when Salesforce is used as IDP ? I am currently using the evaluation version.
Yes it is possible as I did this as an exercise before impementing a hosted IDP solution. I did it using two developer accounts I had created. Unfortunately my notes on the subject will not be available until Monday. For now I could say that for SAML User ID Type the Federation ID option was selected and for SAML User ID Location the Attribute option was selected. I believe this was needed because the usernames were diffferent on the two systems, and my Federation ID (Setup | My Personal Information | Personal Information) contained the user identifier that was being passed in the SAML asswertion.
What I could also say now is there is a Firefox plubin called SAML Tracer that will likely shed some light on what is happening in the request/response loop.
I will try to get back to you on Monday if this has not been resolved.
Thanks for your input. I was able to complete the above mentioned setup today.
I have done "many to one" mapping in this case.
Mapped IDP users to anonymous at SP and its currently working.