+ Start a Discussion
WEN JIEWEN JIE 

How to generate a "saml_request_id" for SSO?

Hi,

I just working on SSO between Salesforce and third party system. When I test the "SP Initiated" way, I found there is a parameter in http header which named "saml_request_id".

So does anyone kown the generate principle for this parameter? Or where can I get this "saml_request_id"?


Thank you1
NagaNaga (Salesforce Developers) 
Hi Wen Jie,


Prerequisite: SSO settings in Salesforce.com are configured properly, including enabling SAML for SSO.
 
Steps:Under My IdP Configuration, setup a SAML 2.0 SP connection to Salesforce.com
Enter https://saml.salesforce.com as the Partner's Entity ID
Enable IdP-Initiated SSO and SP-Initiated SSO
In Attribute Contract, add an attribute called, ssoStartPage, select ...unspecified as the Attribute Name Format
Enter http[s]://<PF external address>:<PF external port>/idp/SSO.saml2 as the value
In Assertion Consumer Service URL, enter 0 for Index, POST for Binding, and https://login.salesforce.com as Endpoint
In Allowable SAML Bindings, select only POST
In Signature Policy, select Always sign the SAML AssertionFor each browser, once the user has completed a successful IdP-initiated SSO* to Salesforce.com, Salesforce.com would have sent back the content and many cookies; the browser should be saving the persistent cookies.
 
Of all the persistent cookies, ssostartpage and saml_request_id are the cookies for SP-init SSO requests.  These two cookies are set for the specific <host>.salesforce.com in the IdP-init SSO request.  Their expiry is about 2 months.
 
As long as these two cookies are saved by the browser, then subsequent SP-init SSO requests to the same <host>.salesforce.com (with these two cookies) would trigger Salesforce.com to send an AuthnRequest to http[s]://<PF external address>:<PF external port>/idp/SSO.saml2 - the value in the ssoStartPage attribute in the SAML contract and the ssostartpage cookie.
 
If either is missing, then any subsequent SP-init SSO requests would fail.
 
If the subsequent SP-init SSO request is sent to <another host>.salesforce.com, then it would also fail, because the browser will not send the ssostartpage and saml_request_id which were set for <host>.salesforce.com.
 About ssoStartPage SP-initiated SAML SSO in Salesforce now uses the 'My Domain' feature to remove the need for the persistent cookie. Set up 'My Domain', then, when users go to http://your_cust_name.my.salesforce.com, Salesforce will use the hostname to figure out the correct identity provider (IdP) to which it will redirect the user.

For additional information about the My Domain feature, see  http://boards.developerforce.com/t5/Security/SSO-Federated-Authentication-Help-needed/td-p/182941and http://blog.rhysgoodwin.com/cloud/salesforce-sso-with-adfs-2-0-everything-you-need-to-know/

Best Regards
Naga Kiran