SAML Configuration

Security Assertion Markup Language (SAML) 2.0 is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP).

AuthMe acts as a SAML 2.0 Identity Provider. Your applications register as Service Providers and delegate user authentication to AuthMe.

Identity Provider Metadata

Most SP libraries auto-configure when you provide the IdP metadata URL:

curl https://auth.example.com/realms/my-realm/protocol/saml/descriptor

The XML document contains the IdP entity ID, SSO service URL, SLO service URL, and the signing certificate.

Creating a SAML Client

Register your Service Provider in the Admin Console:

1. 1

   Open the Admin Console

   Navigate to /console and select your realm.

2. 2

   Create a new Client

   Go to Clients → New Client. Choose SAML as the protocol.

3. 3

   Set the Entity ID

   The Entity ID uniquely identifies your SP, e.g. https://app.example.com/saml/metadata.

4. 4

   Configure ACS URL

   Set the Assertion Consumer Service URL to your SP's callback endpoint, e.g. https://app.example.com/saml/acs.

5. 5

   Configure Attribute Mappers

   Add mappers to include email, name, and role attributes in the SAML assertion.

Key SAML Endpoints

Testing the SSO Flow

Use a SAML testing tool like SAML-tracer (Firefox/Chrome extension) to inspect assertions:

1. Install SAML-tracer in your browser and enable it.
2. Trigger a login from your SP application.
3. Inspect the SAMLRequest sent to AuthMe and the SAMLResponse with the assertion.
4. Verify that the expected attributes (email, name, roles) appear in the assertion.

What's Next?