SP Initiated SSO
How SP initiated SSO works:
- User accesses https://logincrm.company.myshn.net (via the Proxy).
- Proxy contacts the SP.
- SP responds with a redirect to URL https://company.com/adfs/ls/ with SAML request.
- The proxy rewrites the assertion consumer URL, resigns the request, and does not change IdP URL.
- Browser sends SSO request to federation server @https://company.com/adfs/ls/.
- Federation server sends credentials challenge.
- User responds to federation server’s challenge for authentication.
- Federation server contacts respective directory service to validate user credentials.
- Directory service responds with a success or failure.
- Federation server sends an HTTP redirect POST request to https://logincrm.company.myshn.net with SAML response back to User Agent (browser).
- Browser sends a POST request to https://logincrm.company.myshn.net, the proxy URL, with SAML response received from federation server.
- Proxy rewrites the SAML response, resigns it and does a POST request to https://login.salesforce.com, the SP URL, with rewritten SAML response.
- SP (SFDC) validates the SAML Response, and if successful, sends a redirect response for https://<pod>.[csp].com/
- Proxy rewrites the URL and forward the Redirect Response for https://<pod>crm.company.myshn.net back to the Browser.