Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Canvas App Settings: Canvas SAML Initiation Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Canvas App Settings: Canvas SAML Initiation Control

            This security setting determines how the authentication handshake is triggered.

            Control Name

            Connected Apps: Canvas App Settings: SAML Initiation Method - IdP Initiated | SP Initiated

            Recommended Configuration

            SAML Initiation Method - IdP Initiated | SP Initiated.

            Control Overview

            This security setting determines whether the authentication handshake is triggered by the application requesting an identity assertion from the provider (SP-Initiated) or by the provider pushing an unsolicited assertion to the application (IdP-Initiated).

            Security Risk If Not Configured

            Weak SAML initiation methods, specifically the widespread use of IdP-initiated flows without additional safeguards, lead to a risk of unauthorized session initiation and a bypass of primary identity challenges due to the lack of a locally tracked request state.

            Threat Scenarios

            An attacker performs a login CSRF (Cross-Site Request Forgery) attack by tricking a user's browser into submitting a forged or replayed SAML assertion to the service provider, effectively hijacking the target application session.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to prioritize SP-initiated flows prevents the application from validating that an incoming SAML response corresponds to a specific, unique authentication request it recently generated, facilitating unsolicited login attempts.

            Higher Risk When

            When using IdP-initiated flows for administrative Canvas apps, as this method is vulnerable to "Interception" attacks where an assertion can be captured and submitted to the ACS URL without the user's direct interaction with the app.

            Low Risk When

            When SP-Initiated flows are enforced, as the application uses a unique "InResponseTo" attribute to cryptographically bind the SAML response to the original request, nullifying unsolicited assertion attacks.

            Business and Integration Considerations

            SP-Initiated is the secure choice for deep-linking directly into application records, whereas IdP-Initiated is only appropriate for broad "App Launcher" use cases where ease of access from a central portal outweighs the risk of unsolicited assertions.

            Recommended Remediation

            Go to the Canvas App Settings for the Connected App and select Service Provider Initiated for high-assurance internal integrations to ensure that every session is tracked from the point of access.

            Security Health Review Guidance

            Security Health Review identifies Service Provider-initiated SAML as the strongly recommended standard for secure Canvas integrations, while acknowledging that Identity Provider-initiated flows are a valid secondary option for centralized portal access when session hijacking risks are mitigated by other compensating controls.

            See Also

             
            Loading
            Salesforce Help | Article