I am trying to configure a multi-SFDC-org Single Sign On "hub-spoke" scenario where one SFDC org is the Identity Provider (IDP) and a couple of other SDFC orgs are configured as Service Providers (SP's), using Federated Authentication. I am also trying to have the org that is the IDP be an SP as well, because my goal is to have VF tabs set up in each org which allow users to quickly hop around between all of the different orgs.

I have several questions:

1. To achieve this sort of "org-hopping" with an SFDC org serving as the IDP, do all of the "spoke" orgs have to have "My Domain" enabled?

2. After reading the SFDC contextual help for the "Service Provider" edit and detail pages under the "Identity Provider" section of the Setup menu, I still have no idea what the Service Provider's "ACS URL", or "Assertion Consumer Service URL", actually is. Can anyone provide an example of what the Service Provider's ACS URL would look like in the case that the Service Provider is a My Domain - enabled SFDC org?

3. To achieve this "org-hopping" by using VF tabs, I just have a simple VF page with <apex:page action="redirect" controller="redirectController">, where redirectController has a "redirect" method which sends the user to the home page in one of the desired "spoke" orgs. Now, this may because the answer to my first question is "YES, you DO have to have My Domain enabled in all of the Spoke orgs for your scenario to work", but if the homepage I am sending the user to is NOT My Domain enabled, will the process fail? i.e. When the link I send the user to through my redirect is "https://na7.salesforce.com/home/home.jsp", the user keeps ending up at "https://saml.salesforce.com". Here is my Service Provider configuration for the "spoke" org WITHOUT My Domain enabled:

ACS URL:  https://saml.salesforce.com

Entity Id: https://saml.salesforce.com

Issuer: skoodatsso1-developer-edition.my.salesforce.com

and here are the Single Sign On Settings configured in the "spoke" org, which does not have My Domain enabled:

SAML User ID Type: Federation Id

SAML User Id Location : Subject

Issuer: skoodatsso1-developer-edition.my.salesforce.com

Certificate: self-signed

Identity Provider Login URL: https://skoodatsso1-developer-edition.my.salesforce.com/idp/endpoint/HttpRedirect

Identity Provider Logout URL: https://skoodatsso1-developer-edition.my.salesforce.com

Entity Id (autopopulated): https://saml.salesforce.com

Salesforce.com Login URL (autopopulated) https://login.salesforce.com/?saml=%&^%&*%&^%

Any advice here is much appreciated!

Thanks,

Zach McElrath

There is lots of good information on developer.force.com about SSO and Salesforce as the service provider but I can't find any information on using Salesforce as the identity provider to another service. I would like to be able to use my salesforce user and contact objects as my identity store for an outside application. Can it be done? Do I have to role my own SAML SSO service within Salesforce to get the job done? What kind of license agreement issues would I have to deal with?

Any thoughts?