Here are a few things to consider:
Is it possible that this page will be hosted on your site?
Is this going to be used by a number of different salesforce organisations?
To obtain a session id, one option is to use the login() API call. If the login fails, you'll be able to detect it and notify the user appropriately.
After that, the user must be redirected to the "frontdoor.jsp" page, which has the following format:
- https://[host].salesforce.com/secur/frontdoor.jsp?sid=[session_id]&retURL=[start_page]
Where:
- [host] - varies by organization. Some that I've seen are na1, na2, .... If you are only building this for 1 organization, you could hard-code this value. If you are building the for multiple organizations, you could parse it from the serverUrl property of the returned LoginResult.
- [session_id] - get this from the returned LoginResult
- [start_page] - this is optional but can be used to "deep link" a user to a page after they've logged in.
Edit: 2014-08-25
Salesforce now officially supports the frontdoor.jsp method of login described in this answer (link). In addition, session_ID tokens can be obtained from any of the following sources:
- The access_token from an OAuth authentication.Note that one of the scopes specified when you create a Connected App must be web or full.
- The LoginResult returned from a SOAP API login() call
- The Apex UserInfo.getSessionId()
