We have a heroku-hosted web app that used Salesforce as Identity Provider (IdP) to do Single Sign-On (SSO) between SFDC & other services. We know that in doing so our web app user are already logged into their SFDC account. Then what is the best way for our web app to obtain SFDC REST API access under user’s SFDC account without asking for a password or redirecting?
We have basic understanding on OAuth, SAML and SSO. Also we have studied the following pages:
You can pass a session ID as an attribute in the SAML Assertion. In the Connected App configuration for your SP, set
$Api.Session_ID as a Custom Attribute value. The recipient will be able to use the session ID with the REST API.