A couple of things to think about:
- Is this page going to be hosted on your website?
- Is this going to be used for multiple salesforce organizations?
One thing you can do is use the login() API call to get a session id. You will be able to tell if the login fails, and alert the user appropriately.
From there, you will have to redirect the user through the "frontdoor.jsp" page which has the following format:
- https://[host].salesforce.com/secur/frontdoor.jsp?sid=[session_id]&retURL=[start_page]
Where:
- [host] - varies by organization. Some that I've seen are na1, na2, .... If you are only building this for 1 organization, you could hard-code this value. If you are building the for multiple organizations, you could parse it from the serverUrl property of the returned LoginResult.
- [session_id] - get this from the returned LoginResult
- [start_page] - this is optional but can be used to "deep link" a user to a page after they've logged in.
Edit: 2014-08-25
Salesforce now officially supports the frontdoor.jsp method of login described in this answer (link). In addition, session_ID tokens can be obtained from any of the following sources:
- The access_token from an OAuth authentication.Note that one of the scopes specified when you create a Connected App must be web or full.
- The LoginResult returned from a SOAP API login() call
- The Apex UserInfo.getSessionId()