The present approach utilizes IDP-initiated SSO. In some examples of IDP initiated SSO, the IDP is configured with links to service providers (SPs), where these links refer to the local IDP's SSO service and pass parameters to the service that identify the remote SP. Instead of visiting the SP directly, a user accesses the IDP site and clicks a link identifying an SP in order to access the remote SP. In one example, this triggers the creation of a SAML assertion or artifact that is sent to the SP using HTTP POST binding. At some point, a user is required to supply their credentials to the IDP, e.g. logon, in order to obtain a valid local security context in the IDP. The user may then request access to a SP, e.g. an SaaS application on a service provider platform, which causes the IDP's SSO service to be called. The SSO service builds a SAML assertion representing the user's logon security context, which is digitally signed and place in an SAML response message. In the case of an HTML context, the SAML response message is placed in an HTML form as a hidden form control, e.g. SAMLResponse. If the convention for identifying a specific application resource at the SP is supported at the IDP and the SP, then the resource URL at the SP can be encoded into the HTML form using a hidden form control, e.g. RelayState. The SSO service sends the HTML form to the SP in the HTTP response, which may include script code to automatically submit the form at the SP.