We are implementing SSO for SalesForce using OpenAM. We followed the steps @ http://blogs.oracle.com/rangal/entry/saml2_salesforce_com
There are two scenarios 1. Idp (OpenAM) initiated SSO. 2. Service provider (salesForce) initiated SSO.
Scenario 1 works fine. Scenario 2 does not.
I read in SSO best practices for SalesForce that scenario 2 cannot be implemented for SalesForce SSO. Is this correct? regards Sameer
SP initiated SSO is possible with SFDC and relies on a cookie (ssostartpage) pre-existing in the browser beforehand. Meaning the user should perform IdP init SSO the first time to set the cookie, then SP init SSO is possible from that point forward.
See this post at SFDC security forum for more details.