Skip to main content

Leostream SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Leostream develops a vendor-neutral connection broker, which is software that maps end users to computing resources, such as desktops, that are hosted in a data center. A connection broker integrates end-user access points, including thin clients, laptops and Web browsers, with back-end systems hosting desktops and applications. It also integrates all other data center systems required for a virtual desktop infrastructure, including security, authentication, and load balancing systems.

Arculix by SecureAuth, as a SAML provider, improves the user login experience for Leostream users with convenient MFA. This manual illustrates how to configure Leostream with Arculix’s single sign-on (SSO) solution.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for Leostream.

  • Leostream 9 or higher. SAML logins are currently supported only for user’s logging in using the Leostream Web client. Leostream Connect, thin client, and zero client logins do not support SAML-based authentication.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for Leostream and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Leostream.


    Set to SAML Service Provider.

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID 

    Enter the Issuer/Entity ID of your Leostream instance.

    For example, LeostreamBroker

    Log in URL 

    Enter the URL used by users to log in to your Leostream.

    For example, https://Leostream_FQDN /saml.

    NameID Format 

    Set to Unspecified.

    Name Identifier 

    Set to userPrincipalName.

    ACS URL 

    Enter the URL on the service provider where the identity provider will redirect to with its authentication response.

    For example, https://Leostream_FQDN /saml.

  5. Click Add New Attribute Assertion button and create attributes like the below image:

    Friendly Name



    Name Format













    Last Name




    First Name




  6. Save your changes.

  7. Download your SAML IdP X509 certificate. Go to[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

  8. Download your SAML metadata file. Go to[organization identifier]/saml/download/metadata to download your metadata file.

Leostream configuration

After creating your application in Arculix, register it with Leostream by creating a SAML authentication server in your Connection Broker.

  1. Go to Setup > Authentication Servers.

  2. Click Add Authentication Server.

  3. Select SAML from the Type drop-down menu.


    You can add a single SAML IdP to your Connection Broker. Therefore, you will not see the SAML option in the Type drop-down menu if you have already defined a SAML IdP.

    If you do not see the SAML option in the Type drop-down menu and your Authentication Servers page does not already list a SAML IdP, contact to enable SAML IdP integration in your Leostream environment.

  4. Enter a descriptive name in the Authentication Server Name field.

  5. In the SAML EntityID edit field, enter the unique Entity ID you specified when creating the application in Arculix.

  6. In the Connection Settings section, set the following:

    Identity Provider login URL

    Enter the SingleSignOnService URL from the Arculix metadata.

    Enable user logins without SAML

    Optional. By default, after you create a SAML-based authentication server, the Connection Broker redirects all users to the Arculux login URL when the user visits the Connection Broker login page. To allow users to bypass the SAML-based authentication server, select the check box.

    Identity Provider XML Metadata

    Enter the content of the Metadata XML file you downloaded earlier from Arculix.

  7. Click Save.

  8. Go to Configuration > Assignments and click Edit next to your Arculix Authentication Server.

  9. In the Assigning User Role and Policy section, set the following:


    Enter memberOf.


    Select Contains.

  10. Add groups based on the Group name, which is case sensitive.

  11. Add the application pools and assign groups to them.

Test your application integration

  1. Go to your Leostream URL.

  2. You will be redirected to the Arculix SSO page.

    Application login page with email
  3. After successful authentication, select your preferred MFA method to approve access to the Leostream application.

    Select MFA method
  4. Approve the authentication request on your Arculix Mobile app.

  5. Finally, you will be redirected to your resource page.



If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.