I am in the process of developing a Identity Solution which supports SAML 2.0 based SSO support. After implementing it, I have exploring some Service Providers who support SSO, and I found that SF supports SAML 2.0 based SSO.
At the moment, my implementation only supports SP initiated SSO scenario only. After going through your previous discussions and user guides, I got some knowledge about the SF's SSO support. But I have some doubts which I would like to clarify.
How does SP initiated SSO works for SF ? As I understand from your docs, the Identity Provider should send a SAML Assertion containing the Attribute Statement with ssoStartpage and logoutURL first. After that, whenever a user requests a protected resource, he will be redirected to Identity Providers start page. Have I understood it correctly ? If this is the approach, users have to first send the assertion with these attribute statement from the Idp.
It would be really helpful, if someone can explain how SP initiated SSO works for SF.
