You need to sign in to do that
Don't have an account?
kent.chen
What are his profiles and roles when a user reaches another site via SSO ?
What are his profiles and roles when a user reaches another site via SSO ?
#Senario1 SalesForce serves as IdP.
How can the service provider know this guy's profile and role?
#Senario2 SalesForce serves as SP
How can SalesForce decide this guy's profile or role?
Kent,
I believe that in both cases, you're likely to have the user entry already existing at both partner sites. It's up to that partner site to decide what the user's permissions, etc. are.
For example - the subject type must be either Username or Federation ID (another attribute of a user's field at SFDC). This tells SFDC how to map the user at SFDC side.
For the 3rd party app - ultimately it's implementation specific how this user lookup is done, and thus the permission mapping etc.
Hope that helps...
Scott