Anyone here use Force.com User Authentication approach for a composite integration with a on-premise legacy system via an iFrame in a Visualforce page?

I can't implement SSO in this scenario for SFDC and/or the client application. I need to use SFDC essentially as the Identity Provider, passing the SessionID and API URL to the client for authentication / validation on the client side.

I'll be using SSL (HTTPS) per the documentation to ensure the SessionID and URL are encrypted during transport from SFDC to On-Premise DB.

Are there any gotchas I need to be aware of? Architecturally is FUA a sound approach to integrating SFDC and an On-Premise Application? Are there any other options?

Broad question I know.....

Attribution to: CoryCowgill

Possible Suggestion/Solution #1

Just to note that if the iframe gets into an HTTPS page, and the surrounding frame is HTTP - IE will likely throw out some security related errors to the user.

Attribution to: joshbirk

Possible Suggestion/Solution #2

A couple of other options to consider

1) Each salesforce org contains a SAML Identity Provider; if your target application speaks SAML you can simply configure the IDP and send SAML Assertions

2) Each salesforce org can perform Single Sign-On with OAuth. Implement OAuth in your application, and we'll pass an "id" parameter as part of the OAuth response. You can use the OAuth access token to pull Identity information from the URL passed in this ID as well as call the APIs

Attribution to: Chuck Mortimore
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/453