In our current setup, Salesforce itself is the IDP and Drupal is the Service Provider, that works well. However, with our new site (under my.site.com), we've encountered a unique situation. This site seems to have a login process that is detached from our regular Salesforce login. As a result, the SSO into Drupal only works with the Salesforce.com login, not with the site.com login.
To give more context, our standard login URL is example--client.sandbox.lightning.force.com. However, for this new site (example--client.sandbox.my.site.com), the login mechanism appears different. If a user is logged into Salesforce site.com site, they cannot seamlessly access the new site, suggesting a distinct authentication mechanism at play. I'm looking to understand if there's a way to configure the my.site.com site to act as an IDP, similar to our main Salesforce setup. This would ideally allow for a seamless login experience between Drupal and the new site, maintaining our integration with Drupal.
I checked https://help.salesforce.com/s/articleView?id=sf.sso_sites_portals_about.htm&type=5 and https://help.salesforce.com/s/articleView?id=sf.sso_sites.htm&type=5 , but it seems it's about the scenario when site.com is the service provider.
I could make it work. The key part is to use SAML instead of OpenID. Then, https://help.salesforce.com/s/articleView?id=sf.sso_sfdc_idp_saml_parent.htm&type=5 works, when you get the metadata XML, you have the option to fetch it for the site.com Site too. The other nuances are the same like the regular SSO, only the metadata XML - and the URLs inside differ.