Skip to main content

Use SecureAuth as a SAML Identity Provider (IdP) for SSO

This quickstart walks you through configuring SecureAuth to act as a SAML Identity Provider, enabling authentication for external Service Providers (SPs) using the SAML 2.0 protocol.

What is SAML?

Security Assertion Markup Language (SAML) 2.0 is an XML-based standard for browser-based single sign-on. The user authenticates once with an Identity Provider (IdP), which then issues a signed SAML assertion to each downstream Service Provider (SP) (a business application, SaaS tool, or internal portal), granting access without a second login.

SAML remains the default integration point for enterprise and workforce SSO:

  • Enterprise reach. Nearly every established B2B SaaS product ships a SAML connector. If your customers run an IdP already (Okta, Entra ID, Ping, SecureAuth), SAML is usually the first protocol they ask for.
  • Works for first-party apps too. Many organizations federate their own internal apps through a single SAML IdP, so one login grants access to the HR tool, the ticketing system, and the data warehouse. This is how most workforce portals work today.
  • Complementary to OIDC. Modern stacks often run both: OIDC for new consumer and mobile apps, SAML for legacy and enterprise SSO. SecureAuth issues both from the same tenant.

SecureAuth runs as a SAML 2.0 Identity Provider, signing assertions with tenant keys and publishing standard IdP metadata for any SP to consume.

Browser SSO flow (SP-initiated)

1. Register a SAML Application

Create a new application that represents the SP (Service Provider):

  1. Go to Tenant Settings → Applications
  2. Click Add Application
  3. Choose:
    • Client Type: SAML
    • Application Type: SAML SP
  4. Provide:
    • Application Name (e.g., MySAMLApp)
    • ACS (Assertion Consumer Service) URL from the SP
    • Entity ID (also known as Audience URI)
tip

You can register multiple ACS URLs to support dev, test, and production environments.

2. Configure Identity Providers

Determine how users will authenticate before SecureAuth issues a SAML assertion:

3. Customize SAML Assertion

Define what SecureAuth includes in the SAML response:

  • Set the NameID format (e.g., email, username)
  • Map user attributes to SAML claims
  • Enable signature, encryption, or audience validation settings
note

To modify claim mappings and assertion behavior, go to the application's Claim Mapping and SAML Settings sections.

4. Retrieve IdP Metadata

Provide the Service Provider with SecureAuth’s metadata so it can validate SAML assertions.

  • Metadata URL: https://{tenant-domain}/{workspace}/saml-idp/metadata

Share this metadata XML file with the SP administrator.

5. Test the Login Flow

  1. From the SP, initiate a SAML authentication request
  2. SecureAuth prompts the user to log in
  3. SecureAuth sends a signed SAML assertion to the SP’s ACS URL

The SP validates the assertion and logs the user in.

6. Optional Enhancements