I'm trying to setup salesforce as the IdP and allow SP initiated login. I've got it working just fine using SAML 2.0 for normal salesforce users (Licence = Salesforce). However I would also like it to work for my community users (License = Overage Customer Portal Manager & Gold Partner).
The problem is that it doesn't work for my community users as my SP's redirect url is to our my.domain site (https://companyname.my.salesforce.com/) and not our community login (https://companyname.force.com/login). A customer/partner’s credentials will not work on our my.domain site nor will a regular user’s credentials work on our community login page.
Is there a way to dynamically redirect to the appropriate login page or do we need to create a custom login screen that determines where the credentials need to be sent? Or is there some other type of solution for this problem?
Thanks in advance!
Best Answer
Salesforce got back to me on this one,
Out of the box:
As I stated in my question a customer/partner’s credentials will not work on our my.domain site nor will a regular user’s credentials work on our community login page. However, Salesforce's community login page tries to deal with this by showing the text "CompanyName employee? Log in here" below the username and password field. Clicking the "Log in here" link will take users to your my domain login page where internal employee's credentials will work.
If your SP redirects to your community login page, clicking the "CompanyName employee? Log in here" will also carry the HTTP redirect information allowing SP initiated login for both user groups without any elaborate customization. The only downside is that you would need to instruct internal employees to hit the alternative link to get to the my.domian login page.
Custom:
1) If your service provider knew what flavor of user is requesting access it could dynamically point to the appropriate login page. In my case, our SP doesn't know thus this isn't an option.
2) You could build a custom login page that determines where the credentials go based on whatever logic is appropriate (e.g. user's username ends with "@companyname.com") There are many posts out there on how to build a custom login screen for salesforce.