SAML

Notes on the XML-based protocol for setting up single-sign-on

• XML-based assertion framework for authenticating people across different services

Common SAML-Based SSO Configurations to be Aware of

• When setting up a SP-initiated auth flow, your IDP will generally prefer a specific “binding”; either of the following:
  • HTTP POST
  • HTTP Redirect
• In order for SP-Initiated Auth to work correctly, and to support deep links and bookmarks that will work with SSO, your IDP should support RelayState
  • Allows you to pass parameters in the URL (or even the URL that you want to hit in the first place), and the IDP preserves these parameters and URL after the authentication is completed
  • Example flow for IDP that supports it:
    1. You are navigated to https://solvd.my.salesforce.com/home/my-fancy-url?a=b
    2. Salesforce navigates you automatically to Auth0 as your IDP
    3. You authenticate correctly
    4. Auth0 redirects you back to https://solvd.my.salesforce.com/home/my-fancy-url?a=b, preserving the URL and parameters for where you wanted to go initially.
• You can have the Identity of the SAML assertion exist in the NameIdentifier element of the Subject statement, OR in a specific Attribute XML node that you’ve pre-determined

Tags

• Authentication
• Authorization
• Development
• Security

References

• Single-Sign-On
• Enterprise Grid
• Salesforce OAuth Flows
• Salesforce Identity Connect
• Salesforce Login Flows
• Single-Sign-On for Salesforce via SAML Assertions