Print this page

Siteminder Considerations for SP Initiated Single Sign-on

Knowledge Article Number 000228428
Description Siteminder SSO Considerations for SSO

At a VERY high level, the sites page, accessed through a custom URL/s, will call the VF page, which calls the Controller (Apex Class) to handle the Post-to-Get conversion. Please do consider that other VF pages will be needed i.e. Forgot Password, Login, Register, Unauthorizied, etc.

For FULL DETAILS on how to set Single Sign-on up with CA (Siteminder), please see:
https://support.ca.com/phpdocs/0/8231/8231_5262_SFDC_CA_FedMgr_Interop.pdf?intcmp=searchresultclick&resultnum=4


A Visualforce Page could be used to convert the SFDC POST binding request to GET request during AuthnRequest. 
This example shows the various pieces utilized on the salesforce.com in conjunction with Siteminder requirements for correct relay state param handling. ** Siteminder typicallly will only handle GET requests. Please also consider utilizing the SFDC SSO Binding setting of: HTTP Redirect **


User mobile login flow:
Mobile user creates a Custom Connection from Salesforce1 hybrid downloadable client (entered as Entity ID on SAML configuration).
SSO Settings will provide redirect via Identity Provider Login URL (your custom forms-based login landing page)
NOTE: That page could be hosted elsewhere or via salesforce.com sites (as shown by example below).


At a very high level, the sites page, accessed through a custom URL/s, will call the VF page, which calls the Controller (Apex Class) to handle the Post-to-Get conversion. Please do consider that other VF pages will/may be needed for a complete user experience i.e. Forgot Password, Login, Register, Unauthorizied, etc.

KEY Components
VF code: Convert Post to Get
<apex:page controller="PostToGetController" sidebar="false" standardStylesheets="false" showHeader="false">
<script>window.location='{!redirect}';</script>
</apex:page>

Apex Controller (called from VF page):
public class PostToGetController {

    public String redirect {get;set;}
    public {CustomSetting Related CustomField} ssoSettings;

    public {Post to Get Visualforce Page}Controller() {
       
       //redirect = 'https://{your single sign-on authentication handling}';
       ssoSettings = [SELECT {CustomSetting Related CustomField} FROM SSOSettings__c LIMIT 1];
       redirect = ssoSettings.{CustomSetting Related CustomField};
       Map<String, String> params = ApexPages.currentPage().getParameters();
       if (params.containsKey('RelayState')) redirect = redirect + '?RelayState=' + params.get('RelayState');
      System.debug('****** REDIRECT TO: ' + redirect);
    }
    
}


Custom Setting Definition 

Object Detail: {Name}
Setting Type: List
Visibility: Public

related Custom Field:
Label: {CustomSetting Related CustomField} i.e.FederationURL__c (Text 250)


Single Sign-on Settings SAML configuration:
The Identity Provider Login URL could call one of the base domains constructed for the sites page. i.e. http://{customURL}/{Apexclass VF page} -> http://siteminder.force.com/PostToGet




promote demote