Skip to main content

Add SAML Service Provider

Use this setup to add a SAML service provider (SP) application to SecureAuth CIAM. When you add a SAML application CIAM creates a client record that defines how authentication and access policies apply to that application.

This setup allows SecureAuth to enforce user authentication and control who can access the SP application. After a user signs in, CIAM checks their identity and any assigned user policy before sending a SAML assertion to the application.

Use cases

SecureAuth CIAM supports adding and protecting applications that use the SAML protocol. These applications typically rely on browser-based single sign-on (SSO) and are common across enterprise environments.

Here are some examples of how you can use CIAM to protect SAML service provider applications:

Internal business systems
Require authentication through CIAM before users access HR platforms, finance tools, or organizational applications. Apply user policies to limit access by role, group, or department.

Technical and partner-facing portals
Secure applications used by engineers, field service teams, or external partners. Use SAML attribute mappings to pass relevant identity information to the service provider.

Clinical and administrative systems
Protect access to Electronic Health Record (EHR) platforms, shift management tools, and internal portals used by staff. Use CIAM to authenticate doctors, nurses, and administrators and enforce role-based access.

Before you begin

You'll need:

  • The SAML metadata from the application. This defines the trust connection (via URL, XML file, or manual settings).

  • A list of SAML attributes the application expects (such as email or username).

  • (Optional) A user policy if you want to restrict access to certain users or groups.

  • (Optional) A user policy if you want to restrict access to certain users or groups.

note

This task involves creating a client application in CIAM that represents and protects a third-party SAML service provider (SP) application. We'll use Bluehawk as an example of a fictional SP application.

Step 1: Create the application

  1. In the selected workspace, go to Applications > Clients.

  2. Click Create Client.

    Result: The Create Application page displays in CIAM.

    Create SAML Application

  3. Enter a name and optional application URL.

    • The optional URL links to the application's login page or landing page.

    • You can also use the optional URL to let SecureAuth CIAM initiate authentication for the application.

      For example, enter https://outlook.microsoft.com to enable direct access to Outlook through CIAM.

    note

    Leaving the Application URL field blank does not affect SAML authentication. The application can still redirect to SecureAuth CIAM for login if configured with the CIAM IdP metadata.

    For example, users can go directly to the Bluehawk application, which redirects to CIAM for authentication, even if no URL is entered.

  4. Select SAML Service Provider as the application type.

  5. Click Create.

Step 2: Fill in client application details

On the Overview tab, enter the application details and optional settings.

SAML Application Overview

FieldDescription
Application NameName shown in CIAM for this client application.
DescriptionOptional. Short summary to help identify the application.
Application URLOptional. URL of the SP application login page. Used for launching the SP application from CIAM.
For example, enter https://outlook.microsoft.com to launch Outlook from CIAM.
Add Entity InfoOptional. Turn on to define custom metadata for the application. Enables the Entity Info tab.
Override SAML AttributesOptional. Turn on to define custom SAML attributes for the application. Enables the Attributes tab.

Step 3: Add service provider metadata

Go to the SAML tab. This is where you define how SecureAuth connects to the SP application.

SAML Configuration Tab

You can provide the SP metadata in one of three ways:

Enter the metadata URL provided by the SP application. SecureAuth automatically imports the required connection settings, such as Entity ID and ACS URL.

SAML URL Configuration

When to use: When your SP provides a metadata URL endpoint.

XML Method

Upload the metadata XML file provided by the SP application. This is often used when the SP does not provide a URL.

SAML XML Upload

When to use: When your SP provides a downloadable metadata file but no URL.

Manual Method

Enter key details manually if no metadata is available. You must specify the Entity ID, ACS URL, optional signing certificate, and binding method.

SAML Manual Configuration

Required fields:

  • Entity ID: Unique identifier for the SP application. Provided by the SP.
  • ACS URL: Assertion Consumer Service (ACS) endpoint where SecureAuth sends the SAML assertion after login.
  • Signing Certificate (optional): Certificate used by the SP to validate logout requests or responses. Upload only if required by the SP.
  • SSO Binding Method: Choose the method the SP application uses for SAML communication:
    • Form Post: Secure and widely supported
    • Redirect: Uses URL parameters; required by some service providers (SP)

When to use: When no metadata URL or file is available from your SP.

Reminder

After adding metadata, provide the SAML IdP metadata from CIAM to the SP application (like Bluehawk). This allows the SP to recognize SecureAuth CIAM as a trusted identity provider.

Step 4: Set Subject NameID

The Subject NameID tells the application which identifier to use for the user login; such as email or username.

Subject NameID Configuration

SecureAuth sends this value in the SAML assertion to help the SP application recognize the user.

You can either use the default setting from your SAML IdP configuration, or override it for this specific application.

OptionDescription
Use default (leave check box cleared)SecureAuth uses the NameID value defined in your global SAML IdP Settings.
Override Subject NameIDSelect this check box to define a different identifier for this application. Select a NameID format and the attribute that supplies the value (such as email or userID).
tip

Some SP applications require a specific NameID format or attribute. Check the SP documentation or contact the vendor if unsure.

Step 5: Choose signing algorithm

On the SAML tab, scroll to the Binding Preferences section.

Signing Algorithm Selection

Select the signing algorithm SecureAuth uses to sign the SAML assertion sent to the SP application. This digital signature ensures the message is trusted and has not been altered in transit.

OptionDescription
SHA-1Not recommended. Considered insecure and deprecated.
SHA-256Recommended. Provides strong security and is widely supported by SAML-enabled applications.
SHA-512Stronger than SHA-256. Use only if the SP application explicitly supports it.

Step 6: Set access control

Go to the Access Control tab. This is where you determine which users can access the SP application through SecureAuth CIAM.

Access Control Configuration

By default, access is unrestricted. You can assign a user policy to apply rules based on user groups, attributes, or other conditions.

OptionDescription
UnrestrictedAll users who authenticate through SecureAuth can access the SP application.
Select a User PolicyChoose a predefined user policy to restrict access. Only users who meet the policy criteria can launch and use the SP application.
tip

User policies are managed separately in CIAM. To create or edit policies, go to Authorization > Policies in the selected workspace.

Step 7: Save and test

  1. Click Save to create the SAML service provider application.

  2. Copy the SAML IdP metadata from the SAML tab and provide it to your SP application administrator.

  3. Test the integration:

    • Navigate to your SP application
    • Attempt to log in
    • Verify you're redirected to SecureAuth CIAM for authentication
    • Confirm successful login and access to the SP application

Next steps

After successfully configuring your SAML service provider:

  • Configure SAML attributes to pass user information to the SP
  • Set up user policies to control application access
  • Enable SSO for seamless user experience across applications

Troubleshooting

Common issues

IssueSymptomSolution
Metadata import failsError when adding SP metadata URLVerify the URL is accessible and returns valid SAML metadata
Authentication loopUser redirected repeatedly between SP and CIAMCheck that Entity ID and ACS URL match between SP and SecureAuth CIAM configurations
Access deniedUser successfully authenticates but cannot access SPReview user policy settings and ensure the user meets policy criteria