A few things to think about:
- Will this page be hosted on your website?
- Will it be used for multiple Salesforce organizations?
One thing you can do is use login () to call the session id. You will be able to find out if the login failed and the user is properly notified.
From there, you will have to redirect the user through the "frontdoor.jsp" page, which has the following format:
- HTTPS: // [host] .salesforce.com / SECUR / frontdoor.jsp ASC = [session_id] & retURL = [start_page]
Where:
- [host] - depends on the organization. Some that I saw are na1, na2, .... If you build it for only 1 organization, you can hard code this value. If you are creating several organizations, you can analyze it from the serverUrl property returned by LoginResult .
- [session_id] - get this from the returned LoginResult
- [start_page] - this is optional, but can be used to "deep link" the user to the page after logging in.
Edit: 2014-08-25
Salesforce now officially supports the frontdoor.jsp login method described in this answer ( link ). In addition, session_ID tokens can be obtained from any of the following sources:
- access_token from OAuth authentication. Please note that one of the areas specified when creating the connected application must be web or full.
- LoginResult returns from SOAP API login call
- Apex UserInfo.getSessionId ()