You need to sign in to do that
Don't have an account?
77
SP initiated SSO where salesforce acts as IDP
Is it possible to achieve SP initiated SSO where salesforce acts as IDP.
Note : User does not have to login into SP .
I have tried 1-1 mapping scenario and it is working in my case.
But I need information on "how to achieve SSO when user does not have identities at SP" . I am getting below exception:
saml authentication2.0 failed with message as "IDP provided a name identifier that could not be mapped to valid principal at SP .
Are there any known limitations when Salesforce is used as IDP ? I am currently using the evaluation version.
Yes it is possible as I did this as an exercise before impementing a hosted IDP solution. I did it using two developer accounts I had created. Unfortunately my notes on the subject will not be available until Monday. For now I could say that for SAML User ID Type the Federation ID option was selected and for SAML User ID Location the Attribute option was selected. I believe this was needed because the usernames were diffferent on the two systems, and my Federation ID (Setup | My Personal Information | Personal Information) contained the user identifier that was being passed in the SAML asswertion.
What I could also say now is there is a Firefox plubin called SAML Tracer that will likely shed some light on what is happening in the request/response loop.
I will try to get back to you on Monday if this has not been resolved.
Thanks for your input. I was able to complete the above mentioned setup today.
I have done "many to one" mapping in this case.
Mapped IDP users to anonymous at SP and its currently working.