SAML SSO

​

Overview

Note: Before starting the integration, ensure you have admin access to your Identity Provider and the necessary certificates ready.

​

Requirements

​

From Identity Provider (Client)

1. Sign In URL (SSO URL)
   • The endpoint where authentication requests will be sent
   • Example: https://your-domain.okta.com/app/your-app/sso/saml
2. X.509 Signing Certificate
   • Public certificate in PEM or CER format
   • Used to verify SAML response signatures
   • Must use SHA-256 as the digest algorithm
3. Entity ID (Issuer)
   • Unique identifier for your Identity Provider
   • Example: urn:your-company:idp or https://your-domain.okta.com
4. Sign Out URL (Optional)
   • Endpoint for single logout requests
   • Example: https://your-domain.okta.com/app/your-app/slo/saml

​

Information We Provide

1. Assertion Consumer Service (ACS) URL
   • Where SAML assertions should be sent
   • Example: https://example-app.com/api/auth/saml/callback
2. Service Provider Entity ID
   • Our application’s unique identifier
   • Example: urn:example-app:sp
3. Callback URLs
   • Valid URLs for post-authentication redirects
   • Example: https://example-app.com/protected-route

​

User Attributes

​

Security Requirements

​

Encryption and Signing

• SAML responses must be signed using RSA-SHA256
• Encryption is optional but supported
• TLS 1.2 or higher required for all communications

​

Certificate Requirements

• X.509 certificates must use SHA-256 digest algorithm
• Minimum 2048-bit key length
• Valid for no more than 2 years
• Must be renewed 30 days before expiration

​

Next steps

• Sign In URL: YOUR_SIGN_IN_URL
• X.509 Signing Certificate: YOUR_CERTIFICATE (PEM or CER format)
• Entity ID: YOUR_ENTITY_ID
• Sign Out URL (Optional): YOUR_SIGN_OUT_URL