SAML Flow in Salesforce
Amit Chaudhary

Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates. He is a active blogger and founder of Apex Hours.

SAML Login Flows | Single Sign On in Salesforce

Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your org, they can automatically access all apps from the App Launcher. When you set up single sign-on (SSO) with SAML, you can initiate login from the service provider or the identity provider.

Service provider-initiated login and identity provider-initiated login use different flows, but both result in the user being logged in to the service provider.

What is SAML?

Security Assertion Markup Language(SAML) is the protocol that enables single sign on between applications.

Identity Provider and Service Provider

Identity Provider– This is the system or the applications that hold the identity information.

Service Provider– System or the application that provides the desired service.

Service Provider-Initiated SAML Flow

In a service-provider-initiated flow, the service provider begins the login process with a SAML request to the identity provider. Here’s how this flow works.

  1. The user requests a secure session to access a protected resource in the service provider.
  2. The service provider initiates login by sending a SAML request to the identity provider, asking it to authenticate the user.
  3. The identity provider sends the user to a login page.
  4. The user enters their identity provider login credentials and the identity provider authenticates the user.
  5. The identity provider now knows who the user is, so it sends a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.
  6. The service provider validates the signature in the SAML response and identifies the user.
  7. The user is now logged in to the service provider and can access the protected resource.

Identity Provider-Initiated SAML Flow

In an identity provider-initiated login flow, a SAML request is unnecessary because the identity provider starts the flow with a SAML response. An identity provider-initiated flow is a shortened version of a service provider-initiated flow. Here’s how this flow works:

  1. The user logs in to the identity provider.
  2. The user clicks a button or link to access the service provider.
  3. The identity provider initiates login by sending a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.
  4. The service provider validates the signature in the SAML response and identifies the user.
  5. The user is now logged in to the service provider.

Recording

Please check below session to see how to setup SSO between two Salesforce Org with IDP & SP flow. This session also contain how we can validate the SAML flow in Salesforce.

Agenda

  • What is SAML?
  • What is Identity Provider and Service Provider?
  • IDP Initiated Flow Explanation(Demo of SAML between 2 Salesforce Orgs)
  • SP Initiated Flow Explanation(Demo of SAML between 2 Salesforce Orgs)

Further Learning

Please subscribe our YouTube channel to get notification for video upload.

Share this article

1 Comment

  • Amit

    Can we initiate SAML request through apex code…and provide user / password through apex.

    Regards,
    Vikas Mishra

Leave a reply

Keep in Touch

Subscribe for Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 3,229 other subscribers

Search

Our Supporter

RECENT POSTS

Apex Hours

Apex Hours is one stop platform to learn Salesforce skills and technology

Join our Newsletter and get tips and tricks how to explore the salesforce for free!