The SAML (Security Assertion Markup Language) Global Configuration Settings allow you to configure Service Provider (SP) settings that apply to all tenants in your multi-tenant application. This enables Single Sign-On (SSO) functionality across your platform.
Before configuring SAML settings, ensure you have:
This section contains the Service Provider endpoints that you'll need to share with your Identity Provider.
| Field | Description | Example | Notes |
|---|---|---|---|
| SP Entity ID | Unique identifier for your Service Provider | https://yourapp.com |
Auto-generated, read-only |
| ACS URL | Assertion Consumer Service - where IDP sends SAML responses | https://yourapp.com/saml/acs |
Auto-generated, read-only |
| SLS URL | Single Logout Service - handles logout requests | https://yourapp.com/saml/sls |
Auto-generated, read-only |
These URLs are automatically generated based on your domain. Copy these to provide to your IDP administrator.
Manages the cryptographic components for signing and encrypting SAML communications.
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
[... certificate content ...]
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7W3Y2Fvzs5rVi
[... key content ...]
-----END PRIVATE KEY-----
Generating Certificates :
php yii saml/generate-certificateConfigure security requirements for SAML communications.
| Setting | Default | Description | When to Enable |
|---|---|---|---|
| Encrypt NameID | Off | Encrypts the user identifier in SAML assertions | High-security environments |
| Sign Authentication Requests | On | Digitally signs outgoing auth requests | Always recommended |
| Sign Logout Requests | On | Signs logout requests | Always recommended |
| Sign Logout Responses | On | Signs logout responses | Always recommended |
| Setting | Default | Description | Impact |
|---|---|---|---|
| Require Signed Assertions | On | IDP must sign all assertions | Prevents tampering |
| Require Encrypted Assertions | Off | IDP must encrypt assertions | Additional security layer |
| Require NameID | On | User identifier must be present | Required for user mapping |
| Validate XML Structure | On | Strict XML validation | Prevents malformed requests |
In Okta Admin Console:
https://yourapp.com/saml/acshttps://yourapp.comIn Your Application:
https://yourcompany.okta.com/app/appid/sso/saml/metadataConfigure Attribute Mapping:
email → email
firstName → firstname
lastName → lastname
Using the provided OneLogin metadata:
Import Method:
onelogin_metadata.xml filehttps://app.onelogin.com/saml/metadata/0c3907e8-9970-4e3c-aace-2b8a6c7b3362Manual Configuration:
<ds:X509Certificate> tagsDifferent IDPs for different tenants:
Tenant A - Google Workspace:
Tenant B - Azure AD:
Tenant C - Custom SAML IDP:
Symptoms: Users can't log in, error in logs
Solutions:
Symptoms: Authentication succeeds but user can't access
Solutions:
Symptoms: Security error during login
Solutions:
Solutions:
A: Yes, you can create multiple SAML configurations per tenant. Users can select their organization during login.
A: Users won't be able to authenticate. You'll need to update the certificate in the SAML configuration immediately.
A: Yes, unless you specifically disable password authentication. SAML is an additional authentication method.
A:
A:
A: Custom attributes from SAML are stored in the auth table as JSON. You can access them programmatically for custom logic.
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://yourapp.com">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://yourapp.com/saml/acs"
index="1"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://yourapp.com/saml/sls"/>
</SPSSODescriptor>
</EntityDescriptor>
| Standard Attribute | Common IDP Names | Description |
|---|---|---|
| mail, email, emailAddress | User's email address | |
| firstname | givenName, firstName, fname | User's first name |
| lastname | surname, lastName, sn, lname | User's last name |
| name | displayName, fullName, cn | User's full name |
| groups | groups, memberOf | User's group memberships |
| department | department, dept | User's department |
| title | title, jobTitle | User's job title |
| manager | manager, managerEmail | User's manager |
| employeeId | employeeNumber, employeeId | Employee identifier |