IdP initiated SSO
How IdP initiated SSO works:
- User requests a service by entering a URL similar to https://company.com/adfs/ls/idpiniti...pany.myshn.net
- Federation Server sends user credentials challenge (several mechanisms possible, including username/password, two-factor, and more).
- The user responds to challenge (log in through username and password).
- Federation Server contacts respective directory service to validate user credentials.
- Directory Service responds with a success or failure.
- Federation Server sends an HTTP Redirect POST request to https://logincrm.company.myshn.net with SAML Response back to User Agent (browser).
- The browser sends a POST request to https://logincrm.company.myshn.net, which is the Proxy, with SAML Response received from Federation Server.
- Proxy rewrites the SAML Response (assertion consumer URL), resigns it and does a POST request to https://login.salesforce.com, the rewritten SP URL, with rewritten SAML Response.
- Service Provider validates the SAML Response, and if successful will send a Redirect Response for https://<pod>.salesforce.com/
- Proxy rewrites the URL and forwards the Redirect Response for https://<pod>crm.company.myshn.net back to the browser.