Unable to implement SSO in Salesforce

Question

I am implementing service provider-initiated SSO for Salesforce where the service provider will be Salesforce and the identity provider will be a lambda code. The lambda code will allow a user after verifying the user's mobile number. Once the mobile number is verified a SAMLResponse will be sent by lambda.

I have configured SSO on Salesforce as below:-

I am also able to generate a valid SAML response and have validated it on Salesforce SAML validator as below:-

I have created a login page that will be redirected from Salesforce.

I have also created an API to get a unique SAML response every time for the given federation ID as below:- https://qodz4saz9a.execute-api.us-west-2.amazonaws.com/v1/generate-saml-response?FederationID=rahul@xyz.com

URL for Salesforce login page is- https://im--partial.my.salesforce.com/ .

After all this setup I am able to get redirected to the login page I have created from Salesforce by selecting "Log In with a Different Account" option and then selecting "Twilio" as below:-

Salesforce is redirecting to the login page with a SAMLRequest parameter in the URL as below:-

http://salesforce-sso-page.s3-website-us-west-2.amazonaws.com/?SAMLRequest=fZJRc6IwFIX%2FC .....

I am not sure how to proceed from here and allow login to Salesforce from my login page. Once the user enters a mobile no and OTP, I am redirecting the user to below URL -

https://im--partial.my.salesforce.com?SAMLResponse=PD94bWwgdmVyc2lvbj0i .....

Here I am using SAMLResponse as a query parameter to pass the base 64 encoded SAML response for login to Salesforce. But I am not sure if it is a correct way to authenticate and login to Salesforce.

After entering the OTP(test OTP is 1234) I am getting the below error.

I am not at all using the SAMLRequest generated by Salesforce for generating the SAMLResponse for now.

I have gone through many documents but couldn't find a way to pass the SAMLResponse to Salesforce for login. Please let me know if anybody has any idea about it or if I am following the wrong steps.

Answer 1

The SAML response is sent to the service provider in a specific "way", the protocol refers to this as a binding . In this case the expected binding is HTTP POST. With HTTP POST as your binding, the SAML response must be submitted in a body of HTTP request sent to the service provider via a POST method. The Login URL listed in the Single Sign-On Settings screen is the endpoint where the SAML response should be POSTed. It might look something like this:

POST / HTTP/1.1
Host: im--partial.my.salesforce.com
Content-Type: application/x-www-form-urlencoded
Content-Length: nnn
SAMLResponse=response

Do you need to worry about the SAML request? It depends on your workflow and desired end-user experience. The considerations that go into this decision deserve their own SO question. Meanwhile, take a look at SAML Technical Overview for a summary of these workflows.

Last but not least, this whole sequence of authentication via your mobile number is supported by Salesforce out of the box on some Salesforce products.