Technical Guides
      Back to home
      1. Knowledge Base
      2. Technical Guides

      Setting up a SAML2 connection for a Web App using an external IDP

      If you want to configure a web app to use an IDP for authentication, then here is a general overview of the process

      Part 1: Setting Up the SAML2 Connection
      This is about configuring the SP and IdP to "trust" each other by exchanging metadata and entering the right details.
      1. Understand the Players:
        • Service Provider (SP): Your web app that wants to let users log in.
        • Identity Provider (IdP): The external system (e.g., Okta, Azure AD) that verifies user identities.
      2. Gather Information from the IdP:
        • The IdP provides a metadata file (usually an XML document) or specific details:
          • Entity ID: A unique identifier for the IdP (e.g., https://idp.example.com/saml2).
          • SSO URL: The address where the SP sends login requests (e.g., https://idp.example.com/sso).
          • Public Certificate: A cryptographic key to verify the IdP’s messages (used for signing/encryption).
        • You (the SP admin) download this metadata or manually note these values.
      3. Configure the SP (Your Web App):
        • Log into your web app’s admin panel or configuration file.
        • Enter the IdP’s details:
          • IdP Entity ID: Paste the IdP’s unique identifier.
          • SSO URL: Add the IdP’s login endpoint.
          • Certificate: Upload or paste the IdP’s public certificate.
        • Define your SP’s details:
          • SP Entity ID: Create a unique ID for your app (e.g., https://yourapp.com/saml2).
          • Audience URL: Often the same as the SP Entity ID; it tells the IdP who the response is for.
          • Assertion Consumer Service (ACS) URL: The endpoint on your app where the IdP sends responses (e.g., https://yourapp.com/saml2/acs).
        • Generate or upload an SP certificate/private key pair (optional, for signing/encryption).
      4. Share SP Metadata with the IdP:
        • Export your SP’s metadata (Entity ID, ACS URL, certificate) as an XML file or manually provide it.
        • The IdP admin enters this into their system to recognize your app as a trusted partner.
      5. Test the Connection:
        • Save all settings.
        • Run a test login to ensure the SP and IdP can "talk" securely.
      At this point, the SP and IdP trust each other because they’ve exchanged unique IDs, URLs, and certificates. Think of it like exchanging phone numbers and secret codes so two parties can communicate safely.