- This flow is inherently less secure than the SP-initiated version, and is highly susceptible to Man-in-the-Middle and CSRF attacks (see links below). Careful consideration should be made before choosing to use IDP-Initiated SSO
- When Salesforce acts as an IDP, this flow can be started by launching the "IdP-Initiated Login URL" shown in the policies for the connected app set up for the SP. To launch a specific resource, also include a RelayState parameter with the intended URL from the SP. This URL can also be used as the connected app's Start URL to start this flow when the connected app's icon is clicked from the App Launcher. If Start URL is simply set to a resource from the SP, clicking the App Launcher will redirect to this resource without initiating SSO directly
- IDP-Initiated SSO can be used as part of canvas app authentication by selecting "Identity Provider Initiated" as the canvas app's initiation method option. Unlike the "Service Provider Initiated" option, this has the advantage that the SAML response can be passed and the user authenticated without the need for the canvas app / service provider to first serve an un-authenticated login page, which may not permit embedding in an iframe (this applies to Salesforce's own standard login page, so this consideration is relevant to Salesforce -> Salesforce canvas apps)
- If Salesforce acts as the Service Provider, general setup considerations and capabilities described in the Service Provider Initiated SSO flow apply except the requirement for My Domain, which isn't necessary here
Documentation
This Flow in Context
