Single-Sign-On for Salesforce via SAML Assertions

Salesforce-specific notes on implementing and configuring single-sign-on via SAML

Salesforce can act as either a Services Provider (SP) or Identity Provider (IdP)

IdP Settings

When setting up the saml configuration for SSO (under Settings > Single Sign On), the Entity Id just needs to be a unique identifier for your Service. It will be given to your IDP, and used in the resulting SAML, therefore it should be unique.
- Usually you can choose the URL of your Community, the URL for your My Domain, etc…

If you want to support JIT Provisioning, you must click the “User Provisioning Enabled” button on the specific SSO configuration
Required User Attributes
- User.Username
- User.Email
- User.LastName
- User.ProfileId
  - Important Note: This doesn’t actually need to be the actual SFDC Profile ID; if your Profile names are unique, you can pass the name of the Profile and Salesforce will look up the name of the profile automatically based on the name
Additional Portal User Attributes
- Contact.Account
- Contact.LastName
- Contact.Email
- User.PortalRole=Worker
  - ???
You can also create a custom JIT Provisioning Apex class for more custom provisioning needs

In order to set up SSO for Communities users, follow these steps:

Set up a standard SAML configuration
Modify the ACS URL (place where you send SAML messages) in your IDP to the following:
1. COMMUNITY_URL/login?so=ORGANIZATION_ID
  - Note that this is your regular ACS URL with the Community URL + /login instead of your My Domain
Optionally set up your Community for SP-Initiated SSO