Skip to main content

Arculix SAML (IdP-initiated) integration

Use this guide as a reference to configure a SAML (IdP-initiated) application integration to enable multi-factor authentication (MFA) and single sign-on (SSO) in Arculix.

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

This is a general SAML integration guide to help provide configuration details with SAML (IdP-initiated) application integrations. For specific integrations, see Integrations, otherwise, you can use this guide for most other integrations.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • Application that supports SAML authentication

  • User account with administrative privileges to a service provider application

  • Access to service provider information about SAML configurations on their side as a service provider

Service provider configuration

In this section, you'll configure your application as a service provider (SP).

  1. Download the SAML metadata and certificate for your organization from Arculix.

    Metadata download:<myorganization>/saml/download/metadata

    View metadata:<myorganization>/saml/metadata

    Certificate download:<myorganization>/saml/download/cert

  2. Go to your service provider instance and configure the application to use Arculix as SAML authentication.

    You will need to have the Arculix metadata on hand and access to the service provider instructions for the SAML configuration.

  3. Save your changes in the configurations on the service provider side.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Acme.


    Set to SAML Service Provider.

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Configure as needed, according to the service provider instructions for the application. You might find the applicable information in the service provider metadata to help fill out these fields.

    For documentation purposes, all available fields for adding an application are described next.

    Upstream IdP

    This check box is commonly used for integrations with another IdP to and use Arculix as an IdP factor MFA.

    IdP Initiated 

    Select this check box if your application only supports starting the SAML login from the Identity Provider SSO portal.

    Issuer or Entity ID 

    Enter the Issuer / Entity ID of your service provider application server or instance.

    Metadata URL

    If applicable, enter the metadata URL provided by the service provider.

    NameID Format 

    By default, this is set to Email Address.

    This is the username format in which it asserts the user identity in the SAML application. The most common one is the Email Address. You can change this to different name ID format.

    Name Identifier 

    By default, this is set to Email.

    The identifier associated with the NameID format; in most cases this is set to Email. You can change this to a different name identifier attribute.

    Application Logo

    Optional. Display the application logo in the SSO portal.

    The format for this field is the image address.

    ACS URL 

    Required. The Assertion Consumer Service (ACS) URL is the endpoint of the service provider (SP) where Arculix sends the SAML assertion after successfully authenticating a user.

    Single Logout URL

    If applicable, enter the single logout URL for the service provider.

    When the user logs out, this ensures that it will logout the user from all other authenticated sessions associated with this service provider.


    By default, this is set to RSA-SHA256, which is stronger than RSA-SHA1.


    If applicable, paste the certificate information from the service provider.

    Identity Provider EntityID

    Optional. This field allows you to customize the IdP Issuer / Entity ID for each application.

    Default Relay State

    Optional. Direct users to this URL after they successfully authenticate to the SAML application.

  5. If your service provider requires it, you can include Asserted Attributes like the following:

    Friendly Name



    Name Format

    Optional. Human-readable form of the attribute's name, which might be useful in cases where the actual Name is complex or opaque.

    For example, First Name

    Name that the application uses to reference this attribute.

    For example, FirstName

    User directory attribute used to get this value.

    For example, givenName

    URI reference that represents the Name attribute format provided to your application.

    For example, unspecified


    Examples of asserted attributes

  6. Save your changes.

Test your application integration

  1. Go to the Arculix SSO login page for your organization and log in.

    For example,<myorganization>

    Application login page with QR code
  2. The Arculix SSO portal similar to the following example displays.

  3. Click the application you want to access; you will be redirected and logged in to the application.


If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.