Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

SP Initiated SSO


How SP initiated SSO works:

  1. User accesses (via the Proxy).
  2. Proxy contacts the SP.
  3. SP responds with a redirect to URL with SAML request.
  4. The proxy rewrites the assertion consumer URL, resigns the request, and does not change IdP URL.
  5. Browser sends SSO request to federation server @
  6. Federation server sends credentials challenge.
  7. User responds to federation server’s challenge for authentication.
  8. Federation server contacts respective directory service to validate user credentials.
  9. Directory service responds with a success or failure.
  10. Federation server sends an HTTP redirect POST request to with SAML response back to User Agent (browser).
  11. Browser sends a POST request to, the proxy URL, with SAML response received from federation server.
  12. Proxy rewrites the SAML response, resigns it and does a POST request to, the SP URL, with rewritten SAML response.
  13. SP (SFDC) validates the SAML Response, and if successful, sends a redirect response for https://<pod>.[csp].com/
  14. Proxy rewrites the URL and forward the Redirect Response for https://<pod> back to the Browser.
  • Was this article helpful?