Single Sign on (SSO) for salesforce.com can take various forms.
The Winter 10 version supports SAML2 for salesforce.com and the Salesforce partner & customer portals. It does not support SAML2 for Salesforce Sites yet. (Scheduled for a coming release).
When setting up SSO here are some issues you should consider:
- What is your User or Identity store? Is it an internal store such as Active Directory, Oracle access Manager or a Custom LDAP? or do you want to use a cloud based store like Salesforce, or Google to manage your user identification information?
- Do you have more than one user identity store?
- Do you want to auto-provision (activate/create) the Salesforce users (Just in time) or do you have an existing provisioning process?
- Do you want to allow deep linking to URLs? or always force people to login via a “home page” or “dashboard” ?
- Is SSO for your internal users or your customers/partners. Do you have separate data stores for each?
- Do you want users to keep existing usernames & passwords or get a new “single” username/password?
- Should I use salesforce.com’s Delegated Authentication model or the SAML2 SSO?
Sounds like a lot to think about.
The reality is that there are many variants and solutions to meet your specific requirements.
At WDCi we have been looking at these issues for a while and using our partnership with Ping Identity to provide solutions to Single Sign-On requirements for Salesforce.com and other systems.