WebApp Authenticated User SSO through Hydra into Salesforce

Looking into potential solutions for OIDC Providers to enable a seamless SSO experience to users in our web app into Salesforce. Salesforce supports SAML or OIDC.

Current design:


  1. Authenticated User session within our web app hits a ‘Salesforce Community’ button, sends request to Server/IDP
  2. Server/IDP begins OIDC Auth flow with salesforce
  3. Salesforce completes flow, returns token
  4. Server/IDP returns token to auth’d user
  5. User redirected to salesforce with token, completing the SSO, lands on a salesforce page, seamlessly authenticated, no consent or authorization pop up.

Is this a flow hydra is able to achieve ? The seamless portion is what gives me pause.

I guess that depends on your definition of seamless?

I guess what I am really trying to achieve is to achieve some form of IDP initiated SSO for OIDC.

If that is not achievable, was considering a mechanism for uniquely identifying the already authenticated user, store a session ID or something, session_id=12345 maps to user [email protected]
ie. GET salesforce.com/sso?session_id=12345, land on /login?session_id=12345, check if session_id is valid, and proceed to salesforce as jon.doe

I’m sorry but I still don’t understand what you’re expecting the user experience to be or what behavior you’re expecting from Hydra for that matter.

Was hoping to achieve some form of IdP initiated SSO, similar to how SAML does it. But after further review OIDC does not support this intentionally, due to the CSRF issue associated with it.