Describe the role(s) an Identity Provider and Service Provider play in an access control solution

Identity Provider

  • An identity provider is a trusted provider that lets use single sign-on (SSO) to access other websites.
  • Salesforce can be enabled as a Identity Provider and multiple service providers can be defined to enable access to multiple applications using Single Sign On (SSO).
  • Before enabling Salesforce as an identity provider set up a subdomain using My Domain.
  • Enabling Salesforce as a Identity provider requires a Salesforce certificate and Key pair that are signed by external certificate authorities (CA – Signed) or self signed.
  • Salesforce uses SAML 2.0 standard for SSO and generates SAML Assertions when configured as Identity Provider.
  • Salesforce supports the following:
    • Identity-provider-initiated login—when Salesforce logs in to a service provider at the initiation of the end user
      • The user tries to access a service provider already defined in Salesforce.
      • Salesforce sends a SAML response to the service provider.
      • The service provider identifies the user and authenticates the certificate.
      • If the user is identified, the user is logged in to the service provider.
    • Service-provider-initiated login—when the service provider requests Salesforce to authenticate a user, at the initiation of the user
      • The service provider sends a valid SAML request. The SP-Initiated POST endpoint is generated when the service provider is defined.
      • Salesforce identifies the user specified in the SAML request. If a certificate is part of the definition, Salesforce authenticates the certificate.
      • If the user is not logged in to Salesforce, the user is prompted to do so.
      • Salesforce sends a SAML response to the service provider.
      • The service provider authenticates the SAML response sent by Salesforce. If the user is authenticated, the user is logged in to the service provider and logged in to Salesforce.
    • When using SAML for federated authentication, enable Salesforce as an identity provider and then set up connected apps.


  • A service provider is a website that hosts apps which provide service to endusers.
  • Before defining service providers in Salesforce follow steps to define Identity Provider and exchange configuration information with the provider.
    • Enable Salesforce (or any other provider) as Identity Provider
    • Give your service provider information about your configuration of Salesforce (or other provider) as an identity provider.
    • Get the following information from your service provider:
      • Assertion consumer service (ACS) URL
      • Entity ID
      • Subject type—Specifies if the subject for the SAML response from Salesforce (as an identity provider) is a Salesforce user name or a federation ID
      • Security certificate—Only required when the service provider is initiating login to Salesforce and signing their SAML requests
    • Define service providers as SAML enabled Connected apps.
    • If the Subject Type for the service provider definition is Federation ID, we must map the Salesforce user to the username used to sign into the service provider.
    • When enabling identity providers and defining service providers for Salesforce Sites, Customer Portals and partner portals, note the following:
      • When defining a service provider, if the Subject Type is Username, the Salesforce organization ID is prepended to the user name in the SAML assertion. For example, if the user is, the subject for the SAML assertion contains If the Subject Type is Federation ID, the exact federation ID is used.
      • The attribute is_portal_user included in the SAML assertion generated by Salesforce contains values. You might want to share the following example with your service provider.
      • <saml:Attribute Name=”is_portal_user” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified”> <saml:AttributeValue xmlns:xs=”” xmlns:xsi=”” xsi:type=”xs:anyType”>true </saml:AttributeValue> </saml:Attribute>
    • The identity provider event log records both problems and successes with inbound SAML or OpenID Connect authentication requests from another app provider, and outbound SAML responses when Salesforce is acting as an identity provider.


  • I have enabled SSO to many of my developer orgs from one org which I made as a Identity Provider. That way it is not required to remember passwords of my developer orgs and I can keep track of all of them.
  • I made one of these orgs as a Identity provider and other orgs as Service Providers.
  • I created a home page component with custom links to these orgs which when clicked take me to those orgs.
  • Below are the screen shots of the Identity Provider, Service Provider and Custom link.
  • When user clicks on the Custom Link, the Identity Provider Initiated login kicks in and takes the user to the Service Provider Org.
image.png image.pngimage.png