IdP-initiated SSO - modify SAML response based on context
You won't be able to modify SAML response, it's signed with SFDC's private key and cannot be tampered with.
You should be able to use the out of the box identity provider if you don't mind getting a little dirty. When you set up a SAML service provider (as a Connected App) that represents your ACME app, add a custom attribute that maps to a field on the User object or a custom setting or a custom metadata record. The User object is available as $User
on the field menu when you click on Insert Field button on the custom attribute screen. Custom settings or custom metadata records are not available on the menu but they can still be referenced in a formula via a global variable
Your button on the contact record should invoke IdP-initiated login URL. The value of the User object field or a custom setting has to be set during the click. Sequence of events:
- User navigates to a Contact record
- User clicks on custom button
- write the value(s) from the Contact record to the field on the User object or a custom setting or a custom metadata record
- invoke IdP-initiated login URL
- User is sent to ACME with the SAML attribute that will contain your dynamically generated values
If this is not acceptable, then your only other choice is to have another application act as a kind of a SAML proxy. This application could even be another (or perhaps even the same) SFDC org. The application would receive the SAML response, validate it, extract attributes (e.g. ID of the contact record) and finally make an API call to your source org to get the values from the Contact record. Once your app has all of the data, it would turn around and create a SAML response that it can send to ACME.