Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your org, they can automatically access all apps from the App Launcher. When you set up single sign-on (SSO) with SAML, you can initiate login from the service provider or the identity provider.
Service provider-initiated login and identity provider-initiated login use different flows, but both result in the user being logged in to the service provider.
What is SAML?
Security Assertion Markup Language(SAML) is the protocol that enables single sign on between applications.
Identity Provider and Service Provider
Identity Provider– This is the system or the applications that hold the identity information.
Service Provider– System or the application that provides the desired service.
Service Provider-Initiated SAML Flow
In a service-provider-initiated flow, the service provider begins the login process with a SAML request to the identity provider. Here’s how this flow works.
- The user requests a secure session to access a protected resource in the service provider.
- The service provider initiates login by sending a SAML request to the identity provider, asking it to authenticate the user.
- The identity provider sends the user to a login page.
- The user enters their identity provider login credentials and the identity provider authenticates the user.
- The identity provider now knows who the user is, so it sends a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.
- The service provider validates the signature in the SAML response and identifies the user.
- The user is now logged in to the service provider and can access the protected resource.
Identity Provider-Initiated SAML Flow
In an identity provider-initiated login flow, a SAML request is unnecessary because the identity provider starts the flow with a SAML response. An identity provider-initiated flow is a shortened version of a service provider-initiated flow. Here’s how this flow works:
- The user logs in to the identity provider.
- The user clicks a button or link to access the service provider.
- The identity provider initiates login by sending a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.
- The service provider validates the signature in the SAML response and identifies the user.
- The user is now logged in to the service provider.
Recording
Please check below session to see how to setup SSO between two Salesforce Org with IDP & SP flow. This session also contain how we can validate the SAML flow in Salesforce.
Agenda
- What is SAML?
- What is Identity Provider and Service Provider?
- IDP Initiated Flow Explanation(Demo of SAML between 2 Salesforce Orgs)
- SP Initiated Flow Explanation(Demo of SAML between 2 Salesforce Orgs)
Amit
Can we initiate SAML request through apex code…and provide user / password through apex.
Regards,
Vikas Mishra