SAML Flow in Salesforce

SAML Login Flows | Single Sign On in Salesforce

Written ByApex Hours
Published OnFebruary 22, 2021
Updated OnApril 22, 2025

Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your org, they can automatically access all apps from the App Launcher. When you set up single sign-on (SSO) with SAML, you can initiate login from the service provider or the identity provider.

Service provider-initiated login and identity provider-initiated login use different flows, but both result in the user being logged in to the service provider.

What is SAML?

Security Assertion Markup Language(SAML) is the protocol that enables single sign on between applications.

Identity Provider and Service Provider

Identity Provider– This is the system or the applications that hold the identity information.

Service Provider– System or the application that provides the desired service.

Service Provider-Initiated SAML Flow

In a service-provider-initiated flow, the service provider begins the login process with a SAML request to the identity provider. Here’s how this flow works.

The user requests a secure session to access a protected resource in the service provider.
The service provider initiates login by sending a SAML request to the identity provider, asking it to authenticate the user.
The identity provider sends the user to a login page.
The user enters their identity provider login credentials and the identity provider authenticates the user.
The identity provider now knows who the user is, so it sends a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.
The service provider validates the signature in the SAML response and identifies the user.
The user is now logged in to the service provider and can access the protected resource.

Identity Provider-Initiated SAML Flow

In an identity provider-initiated login flow, a SAML request is unnecessary because the identity provider starts the flow with a SAML response. An identity provider-initiated flow is a shortened version of a service provider-initiated flow. Here’s how this flow works:

The user logs in to the identity provider.
The user clicks a button or link to access the service provider.
The identity provider initiates login by sending a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.
The service provider validates the signature in the SAML response and identifies the user.
The user is now logged in to the service provider.

Recording

Please check below session to see how to setup SSO between two Salesforce Org with IDP & SP flow. This session also contain how we can validate the SAML flow in Salesforce.

Agenda

What is SAML?
What is Identity Provider and Service Provider?
IDP Initiated Flow Explanation(Demo of SAML between 2 Salesforce Orgs)
SP Initiated Flow Explanation(Demo of SAML between 2 Salesforce Orgs)

SAML Flow in Salesforce | SSO Demo

Further Learning

Azure Active Directory Seamless Single Sign-On with Salesforce

Tags

# SAML Login Flows # Single Sign-On

Apex Hours

Salesforce Apex Hours is a program of the community, for the community, and led by the community. It is a space where Salesforce experts across the globe share their expertise in various arenas with an intent to help the Ohana thrive! Join us and learn about the apex hours team.

One comment

Vikas

July 29, 2022 / 9:08 pm Reply

Amit

Can we initiate SAML request through apex code…and provide user / password through apex.

Regards,
Vikas Mishra

Leave a ReplyCancel Reply