Tuesday, February 28, 2017

SP Initiated SSO to Salesforce

                        In this post we are going to cover the configuration steps on how to enable the Service Provider(SP) initiated Federated SSO to Salesforce with OAM I have covered about Single Sign-on to Salesforce using OAM in IDP initiated mode in one of my earlier posts. This will will be continuation to those posts.
                       Once you finish the steps mentioned in earlier posts, You just have to finish the below steps to configure the SP initiated SSO to Salesforce. As described earlier, I have configured my OAM as IDP and Salesforce as SP. In this example, Request for authentication initiates from Salesforce(SP) and redirects it to OAM(IDP) which is nothing but the SP Initiated Single Sign-On.


  • End-user having accounts on IDP(OAM) and SP(salesforce) side with email as user login.
  • End-user will access salesforce URL directly.
  • End-user will be authenticated with IDP side credentials and will federate the user back to Salesforce.
  • Install and configure OAM
  • Configure Authentication store for OAM. In my lab, I have configured OUD as authentication store
  • Front-end OAM with OHS and protect with OAM

  • OAM BP07
  • RHEL6
  • Salesforce
  • OUD
  • OHS 
  • Make sure a domain created for your salesforce instance. In our example, Let is consider it as "https://devfed.my.salesforce.com
  • If domain is not created, created one by navigating as given below
    • Settings -> Setup -> Company Settings -> My Domain
  • Once the domain is enabled and deployed, Click on Edit to configure the Authentication provider.
  • Select the Single sign-provider  that your imported earlier as authentication provider now.
  • Save the Changes.
  • Now search for Single Sign-On Settings and open the current configured SSO Provider.
  • Configure the Identity Provider Login URL with your IDP Initiated URL. This is the same  OAM protected IDP Initiated Federation URL.
  • That's all folks. Now you finished additional configuration required for SP Initiated SSO to Salesforce.
  • Lets validate this now.
 Validation :
  • Access your Salesforce domain URL directly in the browser.
  • This should redirect you back to your configured IDP URL as shown below.
  • If you look at the above screenshot, you can see SAML Authentication request initiated from Salesforce(SP) and redirected to OAM IDP URL.
  • Enter your IDP credentials and click on Login button.
  • After successful authentication,  OAM responds back with SAML Response and posts it to Salesforce.
  • Similar to IDP initiated SSO, Salesforce will validate the SAML response message and redirect the user to home page.
  • You can view the SAML response highlighted in below screenshot.

  •  You are now landed onto Salesforce with the user you authenticated against IDP.
 Thank you for visiting.