SSO Connectivity between salesforce communities

Welcome to catchontosalesforce!

We can take example as SSO Connectivity between one salesforce customer community to another salesforce community customer with two different instance.

Like., 

1. Salesforce Instance A have Customer community A (Identity Provider).
2. Salesforce Instance B have Customer community B (Service Provider).

In Scenario, we will establish SSO Connectivity between Customer community A and Customer community B.

Steps to achieve SSO Connectivity between Identity provider (IdP) and Service provide (SP) :

1. Setup IdP.
2. Setup and Enable Single Sign-On Settings (SP).
3. Create Connected App in IdP.
4. Profile Permission.
5. Testing Steps.

Setup IdP : 

In Quick Find Box, 

Administer -----> Security Controls -----> Identity Provider.

you can click Enable Identity Provider button. then you need to Choose the certificate that Salesforce.com uses when communicating with service providers and click Save to successfully setup IdP.

Setup and Enable Single Sign-On Settings (SP) : 

You can setup and Enable Single Sign-On in Service Provider (SP).

Administer -----> Security Controls -----> Single Sign-On Settings.

you can click SAML Enabled and Save it.

Then, you will create SAML Single Sign-On Settings.

Click New.

Before, you can collect some information from IdP.

• Issuer - IdP Instance URL.
• Identity Provider Login URL - you will receive Once Created Connected App in Idp. Under Connected App For Communities section, just copy IdP-Initiated Login URL and assigned here.
• Identity Provider Single Logout URL - Idp customer community Login URL. there is no logout page in SP. so, Login and Logout must be associated with Idp.
• SAML Identity Type - must be same as Idp Subject Type in Connected App.
• SAML Identity Location - must be subject.
• Request Signing Certificate - you will assign certificate which is associated SP Community Certificate.
• Request Signature Method - must be same connected App Signing Algorithm for SAML Messages.

Once Done, you can save Single Sign-On Settings.

Once Save, Salesforce provide you a SAML endpoint under Single Sign-On Settings.

there are two section 

• Your Organization SAML Endpoint.
• For Community SAML Endpoint.

We can store For Community SAML Endpoint. you will used to configure it in next step.

Create Connected App in IdP :

Before Creating Connected App, you can collect some information from SP.

• Entity Id - SP Salesforce Instance URL. 
• ACS URL - you will copy from For Community SAML Endpoint Login URL in SP.
• Subject Type - Mostly we have used Federation Id or Username. IdP and SP will have same Federation Id and Username.
• Name ID Format - you will mention Format of Subject Type Like Email, Persistent etc
• Issuer - IdP Instance URL.
• Idp Certificate - you will assign certificate which is associated IdP Community Certificate.

Once done, you can save Connected App. 

Profile Permission:

In IdP, For community user profile, you will assign permission to connected App which you created in previous step.

Community User Profile ------> Assigned Connected Apps.

Click Edit and select your Connected App and Save it.

Well Done you have finished a configuration!

Testing Steps: 

• you will login to IdP Community.
• Once Logged in successfully, we will hit ACS URL.
• you can seamless login to your SP Community without username and Password.

If SSO failed to login SP Community, we check below steps,

In Data Level,

Just make sure both community username and federation Id must be same.

In Setup Level,

Just make sure all above configuration is correctly configured.

We have SAML Assertion Validator functionality available in SAML Single Sign-On Settings in SP.

Thanks,

Priyananth R

For Reference : https://help.salesforce.com/s/articleView?id=sf.sso_sfdc_both_sp_idp.htm&type=5