The following diagram illustrates the SSO processing flow, using the Salesforce Cloud Identity Connector in a SaaS environment as an example implementation:
Processing Steps
- On the enterprise Salesforce site, a user clicks a custom link for access to a protected resource. Important: The user must be logged on to Salesforce.
- The link goes to PingFederate and includes the user’s Salesforce session ID and service URL as query parameters.For more information, see Define the SSO URL in Salesforce.
- The Salesforce IdP Adapter makes a SOAP (Simple Object Access Protocol) request to Salesforce to obtain attributes for the user.
- Salesforce validates the session and returns requested user attributes in the SOAP response.
- PingFederate issues a SAML (Security Assertion Markup Language) assertion to the SP-connection Assertion Consumer Service (ACS). Note: Alternatively, for onsite target resources within the same security context as PingFederate, SSO can be accomplished via adapter-to-adapter mapping without using a SAML connection (see Complete the configuration).
- (Not shown) The user is logged on to the target resource.