Tuesday, August 18, 2015

Single Sign-On with Salesforce and Microsoft Active Directory FederationServices

IDP Overview



File:ADFSSAML2 Roles.png


The user authenticates (logs in) to the identity provider (or IdP) - in our case, this will be AD FS 2.0. The user is then able to access a resource at one or more service providers (abbreviated as SP, and also known as relying parties) without needing to log in at each service provider

MY Domain


The Force.com 'My Domain' feature allows you to select a custom domain name for your application. A 'My Domain' URL looks likehttps://customer.my.salesforce.com/ (for a production org) or https://customer-developer-edition.my.salesforce.com/ (for a Developer Edition).

A benefit of configuring 'My Domain' is that it enables support for SP-initiated single sign-on, improving the user experience, and allowing users to access 'deep links' into their environment via SSO.

Configure 'My Domain' in Setup | Company Profile | My Domain. You will need to complete the process of configuring, testing and deploying 'My Domain' for SP-initiated SSO to work correctly.

SP Overview


In this scenario, the SP sends an HTTP redirect message to the IdP containing an authentication request. The IdP returns a SAML response with an assertion to the SP via HTTP POST.



  1. A user requests access to a protected SP resource. The user is not logged on to the site. The request is redirected to the federation server to handle authentication.

  2. The SP returns an HTTP redirect (code 302 or 303) containing a SAML request for authentication through the user’s browser to the IdP’s SSO service.

  3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on.

  4. Additional information about the user may be retrieved from the user data store for inclusion in the SAML response. (These attributes are predetermined as part of the federation agreement between the IdP and the SP.

  5. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

  6. If the signature and assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)