Learn how SAML SSO enterprise connections work.
Settings > Enterprise connections
.Connections
, click New connection
.Name
for the connection.Domain
for the connection. When users authenticate via SAML SSO, the domain of the email
address provided as an identifier at the start of an authentication flow must match the domain configured here.Metadata URL
. This must be a URL pointing to a SAML 2.0 Metadata XML file containing the Identity Provider’s
metadata.
InResponseTo
attribute (following section
4.1.5 Unsolicited Responses
of the
SAML 2.0 profiles specification).
This prevents malicious actors from intercepting a response used in an SP-initiated flow and reusing it in an
IdP-initiated flow.Disabling self-service signup
Settings > User account
.Account self-service
section.Allow Account creation
toggle enable or disable self-service account creation.Creating or importing users
Users
.Create new
to manually create a user.Import
to bulk import users. See also: Import and export usersProperty | Value |
---|---|
Assertion Consumer Service (ACS) URL | <project_api_url>/saml/callback |
Entity ID/Audience URI | <project_api_url> |
Metadata URL (download) | <project_api_url>/saml/metadata?domain=<domain> |
Metadata URL (certificate) | <project_api_url>/saml/metadata?domain=<domain>&cert_only=true |
<project_api_url>
with your project’s API URL. You can find the API URL
on your project’s dashboard in the Hanko Cloud Console.
example.com
and a user attempts to
authenticate with an email address of john.doe@subdomain.example.com
then no SAML SSO flow will be triggered but
instead the login flow will proceed using any of the authentication methods activated for your tenant.Term | Description | |
---|---|---|
Assertion | A statement issued by the Identity Provider (IdP) containing authentication, attribute, and authorization data about a user, used by the Service Provider (SP) to authenticate the user. | |
Assertion Consumer Service (ACS) | The endpoint on the Service Provider (SP) that receives the SAML response containing the assertion from the Identity Provider (IdP) and processes it for user authentication. | |
Attribute | A piece of information about the user that the Identity Provider (IdP) sends to the Service Provider (SP) within a SAML assertion, such as user roles or group memberships. | |
AttributeStatement | A part of the SAML assertion containing user attributes, such as email address, roles, or group memberships, sent from the Identity Provider (IdP) to the Service Provider (SP). | |
Entity ID | The Entity ID is a globally unique string assigned to either an Identity Provider (IdP) or a Service Provider (SP). This identifier helps to differentiate different entities in a SAML federation and ensures that the communication is happening between the correct IdP and SP. | |
Identity Provider (IdP) | An entity that authenticates users and issues SAML assertions to Service Providers (SPs) for Single Sign-On (SSO). | |
IdP-initiated Flow | An authentication flow where the user starts at the Identity Provider (IdP), which sends a SAML response directly to the Service Provider (SP), granting the user access. | |
Metadata | A file that describes the configuration of the Identity Provider (IdP) or Service Provider (SP), including URLs, certificates, and supported bindings. | |
SAML Request | A request message from the Service Provider (SP) to the Identity Provider (IdP) to initiate authentication, including requests for specific authentication context or user attributes. | |
SAML Response | A message from the Identity Provider (IdP) to the Service Provider (SP) that contains the SAML assertion, which includes authentication information about the user. | |
Service Provider (SP) | An entity that provides services or resources to users and relies on an Identity Provider (IdP) to authenticate users via SAML assertions. | |
Single Logout (SLO) | A mechanism by which a user can log out from all connected systems and service providers in a federated environment with one logout action. | |
Single Sign-On (SSO) | A method of authentication that allows a user to access multiple applications with a single set of credentials. SAML is commonly used to implement SSO. | |
SP-initiated Flow | An authentication flow where the Service Provider (SP) initiates the authentication request to the Identity Provider (IdP), common when the user accesses a service directly. | |
Unsolicited SAML Request | A request sent by the Identity Provider (IdP) to the Service Provider (SP) without the SP first initiating the request. This typically occurs in an IdP-initiated SSO flow. |