Integrate with SAML 2.0
SAML-based single sign-on (SSO) gives users access to their Federated Directory through an identity provider (IDP) of your choice.
If your identity provider of choice does not have a ready made integration with us, you have the option to use a custom SAML connection.
Enabling this, is as easy as selecting
SAML 2.0 from the authentication drop-down on a directory.
|Login page URL||Required. SAML request will be send to this URL of your identity provider|
|Verification certificate||Required. The SAML response must be signed, and you will need to paste a valid X.509 formatted certificate to verify your identity.|
|Logout page URL||Optional. Your users will be redirected to this URL after they log out.|
|Password reset URL||Optional. Your users will be redirected to this URL when they press "forgot password" button on our login page.|
During the authentication process we map the users id (
nameID) with the
userName of this user within our directory. We only allow access to those users we know.
Make sure the users ID is immutable and unique.
|SAML Response||Federated Directory|
Follow these parameters to configure your SAML connection: (You can find the id of your directory under the 'config' tab)
|Login flows||We support the Identity Provider (IDP) Initiated flow and the Service Provider (SP) Initiated flow. For SP-Initiated single sign-on, go to
|Assertion Consumer Service URL||Also known as the SSO post-back URL:
|Name ID||Any immutable and unique user Id that is present on the
Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your IDP redirect a user to an HTTP 403 page or something similar.
SAML Request example
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_2f71f210df710336cf6b" Version="2.0" IssueInstant="2017-10-14T07:25:00.039Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://api.federated.directory/v2/Login/Saml2/59ed5f10-5ca4-11d7-a566-6bb3338641dc/Acs" Destination="https://www.my-idp.com/http-redirect"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> federated.directory/59ed5f10-5ca4-11d7-a566-6bb3338641dc </saml:Issuer> <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /> </samlp:AuthnRequest>
Automatic user management
A SAML integration delivers SSO for your users. It can be combined with any of the user management options we offer. Just make sure the userName of the user is filled properly.