I am creating the SAML and then using SendSAMLResponseByHTTPPost to SSO (with Just In Time Provisioning) to SalesForce. It is working great however I save some information in our database to know if the user has already been created (so next time I am just needing to send the federation id for SSO). I am setting this before I send them off so if I get an error on the SalesForce side I have the problem, the flag is set so next time it will not try to create the user (which has not been created at SalesForce due to error) and they can never use the SSO until I clear the flag. This should happen very rarely if ever (this is more of a testing issue right now). How do I best handle this situation?
Hi Shannon
Just to confirm, are you using Salesforce’s just-in-time provisioning?
If so, couldn’t you always supply the same fields in the SAML assertion regardless of whether the user had been created or not in Saleforce and leave it to Salesforce to create the user if required?