Salesforce

Overview of the SSO flow

The following diagram illustrates the single sign-on (SSO) processing flow using the Salesforce Cloud Identity Connector in a SaaS environment as an example implementation:

mtj1563995615940

Processing Steps

  1. On the enterprise Salesforce site, a user clicks a custom link for access to a protected resource.

    The user must be signed on to Salesforce.

  2. The link goes to PingFederate and includes the user’s Salesforce session ID and service URL as query parameters. Learn more in Define the SSO URL in Salesforce.

  3. The Salesforce IdP Adapter makes a SOAP (Simple Object Access Protocol) request to Salesforce to obtain attributes for the user.

  4. Salesforce validates the session and returns requested user attributes in the SOAP response.

  5. PingFederate issues a SAML (Security Assertion Markup Language) assertion to the SP-connection Assertion Consumer Service (ACS).

    Alternatively, for onsite target resources within the same security context as PingFederate, SSO can be accomplished through adapter-to-adapter mapping without using a SAML connection:

    • For an external SP partner, configure an SP connection using the instructions under SSO to an SP partner.

    • For SSO to an application at your site in the same security domain, a standard SAML connection is not necessary. You can use direct IdP-to-SP adapter mapping using the instructions under SSO to an onsite application.

  6. (Not shown) The user is logged on to the target resource.