IdP-initiated SSO without a dedicated SSO server

0
votes

I have an ASP.NET application which uses login cookies already. I need to provide a link in my application upon clicking which the user should be able to access their info in SalesForce.com using SSO. I'm planning to implement this link as an ASP page that constructs a SAML assertion with the corresponding username in SalesForce.com, posts the SAML assertion to SalesForce.com SAML Endpoint URL, receives the SAML response from SalesForce.com and redirects the user to the session URL contained in the response.

Has anyone tried this approach instead of using a dedicated SSO server (such as OpenAM) ? Are there any issues in this approach ?

1
asp.netsalesforcesingle-sign-onsamlopenam

1 Answers

0
votes

You won't be able to do that, because it would require you to implement most of SAML IdP (identity provider) piece on your own. SAML is a complex standard involving multiple interactions between IdP and SP (service provider), it is so much more than just sending an assertion.

To enable SAML you'll need to install IdP (like OpenAM), connect it to your user database and to convert your application to SP.

Wikipedia has more detail on SAML iteractions.