The following diagram illustrates the SSO processing flow, using the Salesforce Cloud Identity Connector in a SaaS environment as an example implementation:

Processing Steps

  1. On the enterprise Salesforce site, a user clicks a custom link for access to a protected resource.
    Important: The user must be logged on to Salesforce.
  2. The link goes to PingFederate and includes the user’s Salesforce session ID and service URL as query parameters.For more information, see Define the SSO URL in Salesforce.
  3. The Salesforce IdP Adapter makes a SOAP (Simple Object Access Protocol) request to Salesforce to obtain attributes for the user.
  4. Salesforce validates the session and returns requested user attributes in the SOAP response.
  5. PingFederate issues a SAML (Security Assertion Markup Language) assertion to the SP-connection Assertion Consumer Service (ACS).
    Note: Alternatively, for onsite target resources within the same security context as PingFederate, SSO can be accomplished via adapter-to-adapter mapping without using a SAML connection (see Complete the configuration).
  6. (Not shown) The user is logged on to the target resource.