Question
When SSO has been configured for SAML 2.0 and a user's federation identifier has been populated, how do they get redirected to the Identity Provider's login page?
Background
I'm working to configure a Salesforce instance to use a 3rd party Identity Provider. I've uploaded their certificate and filled out their settings in setup->security controls->single sign-on settings. I've also created a test user with a federation identifier.
I'm now trying to test that the user gets redirected to the 3rd party identity provider when trying to access salesforce, but I'm stuck. I've tried going to the standard login page and entering my current username and password and that just logs me without going to the identity provider. I've also tried going to the salesforce login url from my SSO settings (https://login.salesforce.com/?saml=XXXXXXXXXXX), but that just sends me to the same page. I'm sure I'm misunderstanding how this works, but I'd think both of the above would somehow see that the user has a federation identifier and then validate their session with the identity provider. What am I doing wrong here?
ps – I'm a total dunce when it comes to SSO and have been trying to educate myself with the plentiful resources on developerforce and the broader web, but I'm still pretty green.
Best Answer
You're trying to setup / use Service Provider (SP) Initiated SSO. In this case Salesforce is the SP and you've configured an external IdP to provide authentication.
SP Initiated Login works on Salesforce with My Domain. Additionally you will need to set up Salesforce for federated authentication on your IdP, by (at least in case of ADFS) importing the metadata which you export from the SSO Settings Screen in Salesforce.
You will need to set up My Domain, where you register a custom domain for your org, and there is a setting in My Domain where you choose the authentication provider as the IdP rather than the Salesforce login page. The very descriptive "My SAML IDP" option refers to the settings you configured in Security Controls->Single Sign-On Settings.
You then need to refer to your org by the My Domain URL, at which point Salesforce reads this configuration and redirects to the IdP for authentication, passing through a SAML Request. (i.e. login with the custom My Domain URL eg
https://ralph-dev-ed.my.salesforce.com, so Salesforce knows that it needs to delegate authentication to your IdP). If you wanted to by pass the auto-redirect for users who aren't setup for federated authentication you can append/?loginto your My Domain URL to override the SAML redirect (e.ghttps://ralph-dev-ed.my.salesforce.com/?login)Once you've entered your credentials on the IdP login page, it posts a SAML Assertion to the Salesforce Assertion Consumer Service URL, which identifies the User either by UserName or Federation Id, based on what you've set up in your SSO Settings and lets you in.
Lastly, there is also a Summer 13 Known Issue which is preventing SP Initiated login from working on upgraded sandboxes, owing to a mismatch in the Assertion Consumer Service URL in the SAML Request that is sent to the IdP.
Also worth mentioning that Summer 13 brings support for multiple IdP's.