Skip to main content

Leostream SAML integration

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure. Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Leostream develops a vendor-neutral connection broker, which is software that maps end users to computing resources, such as desktops, that are hosted in a data center. A connection broker integrates end-user access points, including thin clients, laptops and Web browsers, with back-end systems hosting desktops and applications. It also integrates all other data center systems required for a virtual desktop infrastructure, including security, authentication, and load balancing systems.

Acceptto, as a SAML provider, improves the user login experience for Leostream users with convenient MFA. This manual illustrates how to configure Leostream with Acceptto’s single sign-on (SSO) solution.


  • An Acceptto account with a configured Identity Provider and LDAP Agent.

    For more information, see the LDAP Agent deployment guide.

  • A user with administrative privileges for the Acceptto service.

  • An organization identifier provided by Acceptto (organization slug).

  • Leostream 9 or higher. SAML logins are currently supported only for user’s logging in using the Leostream Web client. Leostream Connect, thin client, and zero client logins do not support SAML-based authentication.

  • A user with administrative privileges for Leostream.

Acceptto SAML Configuration as Identity Provider (IdP)

  1. Log into the Acceptto Dashboard with an administrative account and go to Applications.

  2. Create a new application by selecting the Create New Application.

  3. In the New Application form, enter the following values under the General tab.

    • Name - The application name displayed in the admin panel and application portal and used for push notifications and audit logs. (e.g. Leostream)

    • Type - Select "SAML Service Provider" from the options

    • Out of Band Methods - Select the allowed methods for approving MFA requests

    • Message for MFA Requests - Enter the user-facing message for Push, SMS, and e-mail MFA requests (optional)

  4. Under the SAML Service Provider Configuration tab, enter the following values:

    • Issuer or Entity ID– Enter the Issuer/EntityID of your Leostream instance (e.g. LeostreamBroker). Sign in URL - The URL used to login to your Leostream (e.g. https://Leostream_FQDN /saml).

    • NameID Format - Select "Unspecified" from the dropdown menu.

    • Name Identifier - Select "userPrincipleName" from the dropdown menu.

    • Assertion Consumer Service (ACS) URL - Enter the URL on the service provider where the identity provider will redirect to with its authentication response (e.g. https://Leostream_FQDN /saml).

  5. Click "Add New Attribute Assertion" button and create attributes like the below image:

    Friendly Name



    Name Format













    Last Name




    First Name




  6. Click Save to create the Application.

  7. Download your SAML IdP X509 certificate. Go to[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

  8. Download your SAML metadata file. Go to[organization identifier]/saml/download/metadata to download your metadata file.

Configure Leostream as a SAML Service Provider

After creating your Application in Acceptto, register it with Leostream by creating a SAML authentication server in your Connection Broker, as follows.

  1. Go to the Setup > Authentication Servers page.

  2. Click the Add Authentication Server link.

  3. Select SAML from the Type drop-down menu. You can add a single SAML IdP to your Connection Broker. Therefore, you will not see the SAML option in the Type drop-down menu if you already defined a SAML IdP. If you do not see the SAML option in the Type drop-down menu and your Authentication Servers page does not already list a SAML IdP, contact to enable SAML IdP integration in your Leostream environment.

  4. Enter a descriptive name in the Authentication Server Name field.

  5. In the SAML EntityID edit field, enter the unique Entity ID you specified when creating the Application in Acceptto.

  6. Under the Connection Settings section, enter the following values:

    • Identity Provider login URL - Enter the SingleSignOnService URL you obtain from the Metadata XML file you downloaded earlier from Acceptto.

    • Identity Provider XML Metadata - Enter the content of the Metadata XML file you downloaded earlier from Acceptto.

  7. By default, after you created a SAML-based authentication server, the Connection Broker redirects all users to the Acceptto login URL when the user visits the Connection Broker login page. To allow users to bypass the SAML-based authentication server, select the Enable user logins without SAML check box.

  8. Click Save.

  9. Go to the Configuration > Assignments. Click Edit on your Acceptto Authentication Server. Enter memberOf in the Attribute field and select Contains in the Conditional box.

  10. Add groups based on the Group name, which is case sensitive.

  11. Add the application pools and assign groups to them.

Test your application integration

  1. Go to your Leostream URL through a browser.

  2. You will be redirected to the Acceptto SSO page.

    SSO login
  3. After successful authentication, you’ll see the Acceptto MFA options. Select your desired method. Next, approve the authentication request on your It'sMe mobile app.

  4. Finally, you will be redirected to your resource page.



If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.