+ Start a Discussion

SSO clarifications

I want to clarify some things about the SAML supported SSO that
Salesforce has. Usually with SAML, the service provider will send
an authentication request and then the identity provider will send a
response back. With Salesforce, it seems like there are no
assertions sent by the service provider. All that happens is the
identity provider sends assertions to Salesforce, then it checks the
information sent with the configuration settings and decides whether
or not to let the user sign on. Is this understanding correct?
Also, is the SSO for users to sign on to their salesforce accounts alone?
Can it be used to sign on to individual applications as well?
Thanks in advance.  
The scenario you described is called Sp-initiated SSO which is not currently supported.  We are only supporting Idp-initiatied SSO.  You visit the Idp first, then Idp returns a auto-post form to Salesforce.com with SAMLResponse param.  We then validate the message and grant access if everything checks out against pre-defined configuration.   The signed on user can access to his/her account and app with no difference than signing on with username/password.

Jong Lee

Messages such as these that are no longer true should be updated or deleted by salesforce.