Explain the difference between Identity Provider initiated SAML flow and Service Provider initiated SAML flow?

Identity Provider-Initiated SAML Flow:

The user logs in to the identity provider.

The user clicks a button or link to access the service provider. For example, the user clicks an app on the App Launcher page in a Salesforce org.

The identity provider initiates login by sending a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.

The service provider validates the signature in the SAML response and identifies the user.

The user is now logged in to the service provider.

The example which we have seen above under How to configure a Connected App for SAML 2.0 Flow in Salesforce for integration service provider? is of Identity Provider-Initiated SAML Flow.

Service Provider-Initiated SAML Flow:

Now, we know how Identity Provider-Initiated SAML Flow works. Let us now try to understand Service Provider-Initiated SAML Flow.   

In service provider initiated flow the user starts from service provider trying to access a service.

The service provider initiates login by sending a SAML request to the identity provider, asking it to authenticate the user.

The identity provider sends the user to a login page.

The user enters their identity provider login credentials and the identity provider authenticates the user.

The identity provider now knows who the user is, so it sends a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.

The service provider validates the signature in the SAML response and identifies the user.

The user is now logged in to the service provider and can access the protected resource.

To setup Service Provider-Initiated SAML Flow follow the below steps:

1)      Login to service provider org.

2)     Go to “My Domain” under setup and click edit against “Authentication Configuration” as shown below.

3)     Now, enable the checkbox against the Authentication Service as shown below.

4)     The name displayed above is nothing but the name you have provided while configuring Single Sign On in Service Provider org as show below.

5) Now, go to the login URL of service provider org you will be able to see the link to login service provider org using identity provider org credentials as shown below.

Gain a deep understanding of Salesforce integration, from creating and configuring Connected Apps to mastering advanced topics like OAuth flows, SAML-based Single Sign-On, and Streaming APIs. Our PDF course combines practical examples, real-time scenarios, and integration patterns to equip professionals with the skills needed to streamline processes and enhance productivity. Tailored for those with 2–8 years of experience, it’s your guide to unlocking seamless connectivity between Salesforce and other systems.

Link to course : Mastering Salesforce Integration