We are implementing SSO for SalesForce using OpenAM. We followed the steps @ http://blogs.oracle.com/rangal/entry/saml2_salesforce_com

There are two scenarios 1. Idp (OpenAM) initiated SSO. 2. Service provider (salesForce) initiated SSO.

Scenario 1 works fine. Scenario 2 does not.

I read in SSO best practices for SalesForce that scenario 2 cannot be implemented for SalesForce SSO. Is this correct? regards Sameer

SP initiated SSO is possible with SFDC and relies on a cookie (ssostartpage) pre-existing in the browser beforehand. Meaning the user should perform IdP init SSO the first time to set the cookie, then SP init SSO is possible from that point forward.

See this post at SFDC security forum for more details.

SP-initiated SAML SSO in Salesforce now uses the 'My Domain' feature to remove the need for the persistent cookie. Set up 'My Domain', then, when users go to http://your_cust_name.my.salesforce.com, Salesforce will use the hostname to figure out the correct identity provider (IdP) to which it will redirect the user.

This article gives a good overview of the concept, and this one explains it specifically in the context of SSO from Microsoft Active Directory Federation Services. Even if you're using different software at the IdP, there is much useful information there!