function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
mbudzynmbudzyn 

SFDC as Identity Provider for "iframed" third-party application

I'm fairly new to the world of SSO and SAML and I'm trying to figure out the best approach to solve this challenge. We have a third-party application that we will be presenting through an iframe for our users. It's a secured site and we want to leverage SSO so a user clicking on the tab that is hosting the iframe will automatically gain access to this third-party app (if the app is accessed outside of SFDC, they will obviously be prompted for their user name and password). 

I've already done some initial work in our sandbox and set up SFDC as the identity provider and set up the third party (service provider) as a connected app. We've selected SAML 2 and the endpoints have been identified.

What I'm a stuck/unclear is how does the service provider identify the user that is attempting to access their app through SFDC and then authenticate them against SFDC? Also do I even need to populate the federated IDs on the user object? The service provider had all our relevant usernames loaded into their system.

I've been looking through docs on SSO/SAML and can't figure out the answer. I'm not sure what direction to go at this point. Any help or direction would be greatly appreciated.
Ashish_SFDCAshish_SFDC
Hi , 


This is called : Single Sign On for Composite Apps

The hyperlink URL will contain a user specific SessionId and a ServerURL as query string parameters.
Your application (presentation) will appear inside an iFrame that is embedded within the current user context (tab or current page).
Users should not be required to enter a username and password to complete this action. Your web application will determine what the calling user's identity is by accessing the Force.com SOAP API. By exploiting the key parameters — current user session id and server url, a simple API call can return user and org [1] attributes for you to validate this user against your list of authorized users.

This approach is referred to as Force.com User Authentication (AUA) as it relates to an composite application.

http://wiki.developerforce.com/page/Single_Sign_On_for_Composite_Apps

Also read the similar discussion in the below thread, 

https://developer.salesforce.com/forums/ForumsMain?id=906F00000008innIAA


Regards,
Ashish