Generic SAML Setup
Configure single sign-on with any SAML 2.0 identity provider
Generic SAML Setup
This guide covers configuring SSO with any SAML 2.0 compatible identity provider. Use this for ADFS, Okta, OneLogin, PingFederate, or any enterprise IdP supporting SAML.
If your identity provider supports both SAML and OIDC, we recommend OIDC for simpler setup. See Generic OIDC Guide.
Prerequisites
Before you begin, ensure you have:
- Admin access to your identity provider
- Organization owner or admin role in Securtea
- Your organization's email domain (e.g.,
yourcompany.com)
SAML Terminology
| Term | Description |
|---|---|
| Service Provider (SP) | Securtea - the application users are signing into |
| Identity Provider (IdP) | Your corporate identity system (Okta, ADFS, etc.) |
| Assertion | The SAML response containing user information |
| ACS URL | Assertion Consumer Service - where IdP sends the response |
| Entity ID | Unique identifier for the service provider |
| Metadata | XML document describing SAML configuration |
Step 1: Gather Securtea SAML Details
Before configuring your IdP, collect Securtea's SAML service provider details:
Service Provider Configuration
| Setting | Value |
|---|---|
| ACS URL | https://app.securtea.io/api/auth/sso/callback/saml-{your-org-slug} |
| Entity ID | https://app.securtea.io/saml/{your-org-slug} |
| Name ID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Replace {your-org-slug} with your Securtea organization's slug.
Example (if org slug is acme-corp):
- ACS URL:
https://app.securtea.io/api/auth/sso/callback/saml-acme-corp - Entity ID:
https://app.securtea.io/saml/acme-corp
You can find these exact values in Securtea's SSO configuration page.
Step 2: Create Application in Your IdP
In your identity provider's admin console, create a new SAML application.
Common Settings
| Setting | Value |
|---|---|
| Application name | Securtea |
| Application type | SAML 2.0 |
| Single Sign-On URL | Use the ACS URL from Step 1 |
| Audience URI (Entity ID) | Use the Entity ID from Step 1 |
| Name ID format | Email Address |
| Name ID value | User's email |
Attribute Statements
Configure your IdP to send these attributes in the SAML assertion:
| Attribute Name | Value | Required |
|---|---|---|
email | User's email address | Yes |
firstName or givenName | User's first name | Optional |
lastName or familyName | User's last name | Optional |
displayName | User's full name | Optional |
The email attribute is required for user identification. Use the exact attribute name your IdP expects.
Signature Settings
| Setting | Recommended Value |
|---|---|
| Sign assertion | Yes |
| Sign response | Yes (optional) |
| Signature algorithm | RSA-SHA256 |
| Digest algorithm | SHA256 |
Step 3: Gather IdP Configuration
After creating the application, collect these values from your IdP:
| Value | Description |
|---|---|
| SSO URL | Identity provider's SAML endpoint |
| Entity ID | Identity provider's identifier |
| Certificate | X.509 certificate for signature verification |
Obtaining the Certificate
Your IdP provides a signing certificate in one of these formats:
- Base64-encoded (most common) - Copy the certificate string
- PEM file - Download and extract the base64 content
- Metadata XML - Extract from the
<X509Certificate>element
The certificate should look like:
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoM
...
Do not include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers when entering the certificate in Securtea.
Step 4: Configure SSO in Securtea
Navigate to SSO Settings
- Sign in to your Securtea dashboard
- Go to Settings > Organization > SSO Authentication
- Select the SAML tab
Enter Configuration
Complete the form with the values from Step 3:
Email Domain
Enter your organization's email domain (e.g., yourcompany.com).
IdP Entity ID
Enter your identity provider's entity ID (issuer).
Examples:
- Okta:
http://www.okta.com/{app-id} - ADFS:
http://adfs.yourcompany.com/adfs/services/trust
IdP SSO URL
Enter the identity provider's SAML 2.0 endpoint URL.
This is where Securtea redirects users for authentication.
IdP Certificate
Paste the X.509 certificate (base64-encoded content only, no markers).
Save Configuration
Click Configure SAML to save your settings.
Step 5: Test the Connection
After saving:
- Locate the Test Connection section
- Click Test
- A new window opens to test authentication
- Sign in with your IdP credentials
- Review the results
If successful, you'll see user information returned by your IdP.
Provider-Specific Notes
Okta
Application Type: Select "SAML 2.0" when creating the integration.
Attribute Statements: Configure in the application's "SAML Settings" section.
Entity ID: Found in "View SAML Setup Instructions" → "Identity Provider Issuer"
ADFS (Active Directory Federation Services)
Relying Party Trust: Create a new relying party trust for Securtea.
Claims Rules: Configure claim rules to pass email as Name ID.
Certificate: Export the token-signing certificate from ADFS Management.
OneLogin
SAML Test Connector: Use the advanced SAML connector.
Parameters: Add email as a custom parameter mapped to Email.
Certificate: Download from the SSO tab of your application.
PingFederate / PingOne
Connection Type: SP-initiated SSO.
Protocol: SAML 2.0.
Attribute Contract: Include email address attribute.
Attribute Mapping
Required Attributes
At minimum, your IdP must send the user's email address. This can be:
- The SAML NameID (recommended)
- An attribute named
email - An attribute with a different name (configure mapping in IdP)
Name ID Formats
Securtea accepts these NameID formats:
| Format | URI |
|---|---|
| Email Address | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| Persistent | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
| Transient | urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
| Unspecified | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
We recommend emailAddress format for simplicity.
User Experience
SP-Initiated Flow
- User visits Securtea and enters their email
- Securtea detects SSO domain and generates SAML request
- User is redirected to your IdP
- User authenticates with corporate credentials
- IdP generates SAML response and redirects to Securtea ACS
- Securtea validates the assertion and signs in the user
IdP-Initiated Flow
IdP-initiated SSO is not currently supported. Users must start authentication from Securtea.
Troubleshooting
"Invalid Signature" Error
Cause: Certificate mismatch or signature verification failed.
Fix:
- Re-download the certificate from your IdP
- Ensure you're using the signing certificate (not encryption)
- Verify the certificate hasn't expired
- Remove any header/footer markers
"Invalid Audience" Error
Cause: Entity ID mismatch between IdP and Securtea.
Fix:
- Verify the Entity ID in your IdP matches Securtea exactly
- Check for trailing slashes or URL encoding differences
- Entity ID is case-sensitive
"Invalid Destination" Error
Cause: ACS URL mismatch.
Fix:
- Verify the ACS URL in your IdP configuration
- Include the full URL with protocol (https)
- Ensure org slug is correct
"Missing Attribute" Error
Cause: Required attributes not included in assertion.
Fix:
- Configure attribute statements in your IdP
- Ensure email attribute is mapped correctly
- Test the SAML response to verify attributes are present
Time-Related Errors
Cause: Clock skew between systems.
Fix:
- Ensure your IdP server time is synchronized (NTP)
- Securtea allows a 5-minute clock skew tolerance
- Check for timezone issues in SAML timestamps
User Not Found / Created
Cause: Email extraction failed or domain mismatch.
Fix:
- Verify email is sent in the SAML assertion
- Check that the email domain matches your SSO configuration
- Review attribute mapping in your IdP
Debugging SAML
View SAML Response
Most browsers have extensions to decode SAML traffic:
- SAML-tracer (Firefox/Chrome) - View SAML requests and responses
- SAML DevTools (Chrome) - Inspect SAML assertions
Check Assertion Contents
Verify your SAML assertion includes:
<saml:Assertion>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
user@yourcompany.com
</saml:NameID>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue>user@yourcompany.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Removing SAML Configuration
To remove SSO and revert to standard authentication:
- Go to Settings > Organization > SSO Authentication
- Click Remove Configuration
- Confirm the removal
SSO-only users will need to reset their password to access their accounts.