SSO setup where the same salesforce org is used as identity and service provider both.

We got a requirement where the platform users needed access to community and they wanted a seamless access without having to login into community once they have logged into the org as a platform user. 

Step 1: Enable Domain in your Organization

Go to Setup –> Administrative Setup –> Domain Management and click on My Domain. On this screen enter a new domain name, and click Check Availability. If the name is available, click the Terms and Conditions check box, then click Register Domain. Deploy to all users. 

Step 2: Enable Identity Provider in  your  Organization (Identity provider)

In Identity Provider Salesforce Org, from Setup, enter Identity Provider in Quick Find box, than Select Identity Provider and Click on Enable. Once you enable Identity Provider, You will get a screen like below. 

Here you will find your domain name mentioned as Issuer and buttons to Download Certificate and Metadata. Click on Download Certificate button and save certificate. We will upload it later in Service Provider org. Here you can also Download Metadata file. We will talk about it later.

Step 3: Enable Single Sign On in the Organization (Service Provider)

• From Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings, and click Edit.
• Select SAML Enabled. You must enable SAML to view the SAML single sign-on settings.
• In SAML Single Sign-On Settings, click the appropriate button to create a new configuration, as follows.
  • New – Specify all settings manually.
  • New from Metadata File – Import SAML 2.0 settings from a XML file from your identity provider(We have downloaded it in Step 2).
  • New from Metadata URL – Import SAML 2.0 settings from a public URL.
• Click on New and enter details as below and select Certificate, we downloaded in step 2 OR click on New from Metadata File and choose downloaded metadata file and select Certificate and save it.

We are going to use the community URL for setting up the Service provider. 

Step 4: Defining the Service Provider in the Organization (Identity Provider)

To define the service provider, you create a SAML enabled Web App as a connected app:

1. From Setup, enter Apps in the Quick Find box, then select Apps, then in the Connected Apps section, click New.
2. Specify the following information:
   

   Connected App Name	Community SSO App
   Contact Email	Enter your support email address.
   Enable SAML	Select this option to enter service provider details.
   Entity Id	Use the Entity ID from SAML SSO Setting.
   ACS URL	Use the Community Login URL from SAML SSO Setting
   Subject Type	Select Username

3. Save it. After save, Your Connected App should look like:
   
4. Select the profiles allowed to access this Connected App. You must select the current user’s profile for this example to work.
5. Click Save.
6. Copy down the value of the IdP-Initiated Login URL field for organization.  We will be using this URL for login process.
That’s all about SSO configuration.
User Setup and Testing Your Implementation
To verify that your Salesforce organizations can use single sign-on to connect, follow below steps.
1. Go to Contacts tab, click New.
2. Enter value all the required fields, select valid Account and a valid email address. save it.
3. Click Manage External User button, Enable Customer User link. Enter all required information on User Setup page. Select valid User License and Profile for Community access.
4. In the Single Sign On Information section populate Federation ID field, enter the username used to sign into the Salesforce identity provider organization.
5. Click Save.
6. Now copy the IdP-Initiated Login URL from your Identity Provider Org’s connected app, Open any other browser, In new tab paste copied URL. Enter Username and password for your salesforce User configured with as federation id on community user. If everything is configured well, this log in will open Community as a logged in user