Overview

This guide outlines the requirements and steps for setting up SAML Single Sign-On (SSO) integration with our application. SAML 2.0 allows users to authenticate through their organization’s Identity Provider (IdP).

Note: Before starting the integration, ensure you have admin access to your Identity Provider and the necessary certificates ready.

Requirements

From Identity Provider (Client)

The following information is required from your Identity Provider:

  1. Sign In URL (SSO URL)

    • The endpoint where authentication requests will be sent
    • Example: https://your-domain.okta.com/app/your-app/sso/saml

  2. X.509 Signing Certificate

    • Public certificate in PEM or CER format
    • Used to verify SAML response signatures
    • Must use SHA-256 as the digest algorithm

  3. Entity ID (Issuer)

    • Unique identifier for your Identity Provider
    • Example: urn:your-company:idp or https://your-domain.okta.com

  4. Sign Out URL (Optional)

    • Endpoint for single logout requests
    • Example: https://your-domain.okta.com/app/your-app/slo/saml

Information We Provide

We will provide the following information for configuring your Identity Provider:

  1. Assertion Consumer Service (ACS) URL

    • Where SAML assertions should be sent
    • Example: https://example-app.com/api/auth/saml/callback

  2. Service Provider Entity ID

    • Our application’s unique identifier
    • Example: urn:example-app:sp

  3. Callback URLs

    • Valid URLs for post-authentication redirects
    • Example: https://example-app.com/protected-route

User Attributes

Attribute NameDescriptionRequiredExample
emailUser’s email addressYes[email protected]
firstNameUser’s first nameYesJohn
lastNameUser’s last nameYesDoe
groupsUser’s group membershipsNo[“admin”, “user”]

Security Requirements

Encryption and Signing

  • SAML responses must be signed using RSA-SHA256
  • Encryption is optional but supported
  • TLS 1.2 or higher required for all communications

Certificate Requirements

  • X.509 certificates must use SHA-256 digest algorithm
  • Minimum 2048-bit key length
  • Valid for no more than 2 years
  • Must be renewed 30 days before expiration

Next steps

You can email us the following information to [email protected]:

  • Sign In URL: YOUR_SIGN_IN_URL
  • X.509 Signing Certificate: YOUR_CERTIFICATE (PEM or CER format)
  • Entity ID: YOUR_ENTITY_ID
  • Sign Out URL (Optional): YOUR_SIGN_OUT_URL