When idp initiates the SSO with salesforce, it sends an url like :

       https://login.salesforce.com?saml=<xx>

with an SAML assertion to be validated from Salesforce

 
What about when SP initiates the SSO: What the url looks like ?
 

is it an ordinary  SF url  such as :  http://myorganisation.salesforce.com ?

How SF would know that it has to communicate in SAML ?

 

Many thanks,

 

--Pascale

Hi,

 

I am working on integrating SF with the federated approach with saml2. 

 

I think I am missing something. From my understanding, SF provides the ability to initiate the sso, meaning a user click on a bookmark (a direct link to SF page), SF initiates SSO by sending a SAMLRequest to idp which then redirects to idp login page , authenticates, construct a SAMLResponse to SF which validates and redirect to the original page.

 

 The document Best Practice for implementing Single Sign On does not cover the Sp initiated SSO. But I believe the IDP should know how to handle the SAMLRequest from SF, am I right ?

 

Using federated -SAML 2 approach, will it be possible for SF users to be able to authenticate into SF site independently from our web site if they wish ? Or since the configuration is set to SAML2, the user has to get authentication first in idp.

 

 

Thanks for your help,

--pascale

I haven't had much luck getting SSO to work with my SAML assertion. Has anyone got this to work? If so, what does your saml response look like?  I signed my assertion and I believe everything is correct, yet the login history gives me "Failed: Assertion Invalid"

Any ideas?

Thank you.