Hi,

My scenario is that I'm trying to build a service on database.com but the user interface is running elsewhere (heroku) - and I'm mostly using database.com lite profiles. I want users to be able to set themselves up with their own logins -and I am doing this through a REST call to my db.com org which goes and creates users on a private request from an admin account from my Heroku based frontend. I'd like users to have a nice user experience during this process where I guide them through the steps and preferably not confuse them with emails from database.com/salesforce which have no context about why they are receiving an email. Therefore I thought I'd use SSO for the signup process or use SAML to completely take user signout out of the picture (which turns out to be not possible due to me not reading the whole manual :(...

Also, does anyone have any experience around providing a nice user interface for the signup process when branding their own product but using db.com? It seems rather difficult to me to get it smooth!

The options I've tried are:

1: Just using plain database.com standard usernames + passwords, etc.
This works 'ok', but the signup process is not very nice for users for various reasons: a) I can't prompt users what's next after they receive an email from salesforce b) WTF the users are thinking - I thought I was dealing with another company c) there's a disconnect between the db.com user and my user state - if I use the login=consent for users to check that they are logging in as the relevant person (which happens for admins, etc) and they click the 'not you?' button, the user will never make it back to my domain and will get 'lost' on a dataabse.com error page. d) similar problem if the user forgets their password, or goes clicking around on the databse.com site they can get lost.

2: Using Bearer SAML
I've tried using bearer SAML, but eventually got stuck on the fine print. I thought this was perfect as someone with the correct certificates could control getting access tokens from the server for anyone, but there's a weird bit of fine print:
"A SAML OAuth 2.0 bearer assertion request looks at all the previous approvals for the user that include a refresh_token. If matching approvals are found, the values of the approved scopes are combined and anaccess_token is issued. If no previous approvals included a refresh_token, no approved scopes are available, and the request fails as unauthorized."

3: Federated SSO
So I thought SSO would work. I first tried the Bearer SAML approach above, but moved on as described earlier. So now the issue is to get SSO + OAuth working.

I've got all the pieces of the puzzle already working for some time:

* Admin users get logged on correctly using single sign on (not lite users as there is no interface so nothing to log into - thus it fails after the login
* OAuth using web-flow works fine when SSO is not in the picture.
* OAuth + SSO works fine for admin users

But when I'm using database.com lite user, I always get booted onto the SAML Single Signon 'Custom Error URL' after the SSO process is completed. Looking at the user which was logged in show:

Login Type: SAML Idp Initiated SSO
Status: Failed: API-only User

To me this feels like a Salesforce bug. Has anyone else experience this?

ben