SalesForce initiated SSO using openAM
Question
We are implementing SSO for SalesForce using OpenAM. We followed the steps @ http://blogs.oracle.com/rangal/entry/saml2_salesforce_com
There are two scenarios 1. Idp (OpenAM) initiated SSO. 2. Service provider (salesForce) initiated SSO.
Scenario 1 works fine. Scenario 2 does not.
I read in SSO best practices for SalesForce that scenario 2 cannot be implemented for SalesForce SSO. Is this correct? regards Sameer
2 answers
solution1
3 2012-01-10 19:26:02
SP-initiated SAML SSO in Salesforce now uses the ' My Domain ' feature to remove the need for the persistent cookie. Set up 'My Domain', then, when users go to http://your_cust_name.my.salesforce.com , Salesforce will use the hostname to figure out the correct identity provider (IdP) to which it will redirect the user.
This article gives a good overview of the concept , and this one explains it specifically in the context of SSO from Microsoft Active Directory Federation Services . Even if you're using different software at the IdP, there is much useful information there!
solution2
1 ACCPTED 2012-01-06 22:23:07
SP initiated SSO is possible with SFDC and relies on a cookie (ssostartpage) pre-existing in the browser beforehand. Meaning the user should perform IdP init SSO the first time to set the cookie, then SP init SSO is possible from that point forward.
See this post at SFDC security forum for more details.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.