SAML SSO

4 min read·Updated Apr 29, 2026

The SAML SSO card under Application → Authentication lets enterprise customers sign in through their own identity provider — anything that speaks SAML 2.0. Authaz acts as the Service Provider (SP); the customer's IdP issues the assertion.

# Create a SAML connection
curl -X POST https://your-app.authaz.io/api/v1/applications/{appId}/auth/saml/connections \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme Corp IdP",
    "entityId": "https://your-app.authaz.io/saml/{connectionId}",
    "ssoUrl": "https://idp.acme.com/sso/saml",
    "x509Certificate": "-----BEGIN CERTIFICATE-----\nMIID...\n-----END CERTIFICATE-----",
    "tenantId": "tenant_acme"
  }'

Where it lives#

Dashboard → Application → Authentication → SAML SSO. The list page shows every connection; click one to edit its metadata, attribute mapping, and signing certs.

How it works#

Previous: Passkey (WebAuthn)
Next: Machine-to-Machine (M2M)

┌─────────────────┐  1. user clicks Sign in    ┌─────────────────┐
│ Universal Login │ ────────────────────────▶  │  Customer IdP   │
│  (Authaz SP)    │                            │  (IdP)          │
└────────┬────────┘                            └────────┬────────┘
         ▲                                              │
         │ 4. SAML response                             │ 2. user
         │   posted back                                │    authenticates
         │                                              ▼
         │                                      ┌─────────────────┐
         └──────────────────────────────────────│  IdP signs &    │
                  3. browser redirects with     │   posts the     │
                     SAML assertion             │   assertion     │
                                                └─────────────────┘

curl -X POST https://your-app.authaz.io/api/v1/applications/{appId}/auth/saml/connections \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme Corp IdP",
    "tenantId": "tenant_acme"
  }'

{
  "id": "saml_01h...",
  "spEntityId": "https://your-app.authaz.io/saml/saml_01h...",
  "spAcsUrl":   "https://your-app.authaz.io/auth/saml/saml_01h.../acs",
  "spMetadataUrl": "https://your-app.authaz.io/auth/saml/saml_01h.../metadata"
}

Field	Value
Single Sign-On URL (ACS)	`spAcsUrl` from above
Audience URI / SP Entity ID	`spEntityId`
Name ID Format	`EmailAddress` (recommended)
Attribute Statements	`email`, `firstName`, `lastName` (and any custom attrs you map)

curl -X PATCH https://your-app.authaz.io/api/v1/applications/{appId}/auth/saml/connections/{connectionId} \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "ssoUrl": "https://idp.acme.com/sso/saml",
    "idpEntityId": "https://idp.acme.com/saml/metadata",
    "x509Certificate": "-----BEGIN CERTIFICATE-----\nMIID...\n-----END CERTIFICATE-----"
  }'

Authaz user field	SAML attribute (default)
`email`	NameID (when format is `EmailAddress`) or `email`
`name`	`displayName`, falling back to `firstName + lastName`
`firstName`	`firstName` or `givenName`
`lastName`	`lastName` or `surname`

Status	Meaning
`draft`	Created but missing IdP details. Not usable for sign-in yet.
`active`	Fully configured and live.
`disabled`	Manually disabled — sign-ins through this connection return an error.
`error`	Last assertion failed validation; check the audit log for the reason.

SAML SSO

Where it lives#

How it works#

Setup#

1. Create a connection in Authaz#

2. Configure the IdP#

3. Plug the IdP details into the connection#

Attribute mapping#

Per-tenant connections (multi-tenant apps)#

Just-in-time provisioning#

Signed/encrypted assertions#

Connection statuses#

Next steps#