Enable SAML 2.0 Identity Provider

This guide explains how to configure Signia as a SAML 2.0 Identity Provider (IdP) for your organization, enabling Enterprise SSO with third-party Service Providers like Okta, Azure AD, AWS Cognito, and others.

Overview

Signia's SAML IdP feature allows your users to authenticate with external applications using their Signia credentials (WebAuthn/Passkeys, email, etc). This provides:

• Single Sign-On (SSO): Users authenticate once with Signia and access multiple applications
• Centralized Access Control: Manage user access from the Signia dashboard
• Passwordless Enterprise SSO: Leverage WebAuthn/Passkeys for secure, phishing-resistant authentication
• Multi-Tenant Isolation: Each tenant has its own SAML IdP configuration and Service Providers

Prerequisites

• Admin access to Signia ID dashboard (https://signiaid.com)
• Tenant subdomain (e.g., acme.signiaauth.com)
• Service Provider metadata or configuration details

Step 1: Enable SAML for Your Tenant

Navigate to SAML Settings

1. Log in to the Signia ID dashboard
2. Select your tenant from the tenant dropdown
3. Navigate to SAML in the left sidebar

Enable SAML IdP

1. Click Enable SAML button

2. Signia will automatically:

   • Generate a self-signed X.509 certificate (valid for 10 years)
   • Create SAML IdP metadata
   • Provision an internal OIDC connector client

3. Once enabled, you'll see:

   • Identity Provider Information: Entity ID, SSO URL, Metadata URL, Certificate details
   • Service Providers: List of configured Service Providers (initially empty)

Step 2: Configure Identity Provider Information

Entity ID

Your SAML IdP's unique identifier:

https://<your-tenant>.signiaauth.com

Usage: Service Providers use this to identify your IdP.

Single Sign-On (SSO) URL

The endpoint where Service Providers send authentication requests:

https://<your-tenant>.signiaauth.com/saml/sso

Supported Bindings:

• HTTP-Redirect (GET)
• HTTP-POST (POST)

Metadata URL

Public endpoint for downloading IdP metadata:

https://<your-tenant>.signiaauth.com/saml/metadata

Usage: Service Providers can auto-configure using this URL.

Certificate Information

• Algorithm: RSA 2048-bit
• Validity: 10 years from generation
• SHA-256 Fingerprint: Displayed in dashboard for verification
• Format: X.509 (PEM-encoded)

Certificate Usage:

• Signs SAML Assertions
• Included in metadata XML
• Service Providers verify signatures using the public key

Step 3: Download Metadata XML

Option 1: Download from Dashboard

1. In the Identity Provider Information section
2. Click Download Metadata button
3. Save the file as <tenant>-saml-metadata.xml

Option 2: Fetch from Metadata URL

curl https://<your-tenant>.signiaauth.com/saml/metadata -o metadata.xml

Metadata Contents

The metadata XML includes:

• Entity ID
• SSO URL (HTTP-Redirect and HTTP-POST bindings)
• X.509 Certificate (public key)
• NameID formats supported
• Signing and encryption capabilities

Share this file with your Service Providers to establish trust.

Step 4: Add a Service Provider

Navigate to Service Providers

1. Scroll to the Service Providers section
2. Click Add Service Provider button

Enter Service Provider Details

Name (required)

• Friendly name for identification
• Example: "Okta Production", "Azure AD Development"

Entity ID (required)

• Unique identifier for the Service Provider
• Must be a valid URL
• Example: https://sp.example.com or urn:amazon:cognito:sp:us-east-1_ABC123

Assertion Consumer Service (ACS) URL (required)

• Where SAML assertions are sent after authentication
• Must use HTTPS
• Example: https://sp.example.com/saml/acs

NameID Format (optional, defaults to Email Address)

• Format for the user identifier sent in SAML assertions
• Options:
  • Email Address: User's email (e.g., user@acme.com)
  • Persistent: Opaque identifier, same for a user-SP pair
  • Transient: Temporary identifier, changes each session
  • Unspecified: No specific format

Enabled (optional, defaults to true)

• Toggle to enable/disable SSO for this Service Provider
• Useful for temporarily disabling access without deleting configuration

Example Configuration

Name: Okta Production
Entity ID: https://okta.example.com/saml2/service-provider
ACS URL: https://okta.example.com/sso/saml
NameID Format: Email Address
Enabled: ✓

Save Service Provider

1. Click Create Service Provider
2. The SP will appear in the Service Providers list
3. You can now test SSO from the Service Provider

Step 5: Configure Service Provider

Now configure the Service Provider to trust your Signia IdP:

1. Upload Metadata XML: Most SPs support metadata upload
2. Manual Configuration: If metadata upload isn't supported:
   • Entity ID: https://<your-tenant>.signiaauth.com
   • SSO URL: https://<your-tenant>.signiaauth.com/saml/sso
   • Certificate: Copy from metadata or dashboard

See our integration guides for SP-specific instructions:

• Okta SAML Integration
• Azure AD SAML Integration
• AWS Cognito SAML Integration

Step 6: Test SSO Flow

Initiate SSO from Service Provider

1. Navigate to the Service Provider application
2. Click Login with SSO or similar button
3. You should be redirected to Signia authentication

Expected Flow

1. Service Provider → Sends SAML AuthnRequest to Signia SSO URL
2. Signia → Validates request, shows authentication UI
3. User → Authenticates with WebAuthn/Passkey or password
4. Signia → Generates signed SAML Assertion
5. Signia → Redirects user to Service Provider ACS URL with assertion
6. Service Provider → Verifies signature, extracts user info, creates session
7. User → Logged in to Service Provider application

Verify Success

• User is redirected back to Service Provider
• User is logged in (session created)
• User profile shows correct attributes

Managing Service Providers

Edit Service Provider

1. Click Edit button (pencil icon) next to the Service Provider
2. Modify fields as needed
3. Click Update Service Provider

Note: Changing Entity ID or ACS URL may break existing integrations.

Disable Service Provider

1. Click Edit button
2. Uncheck Enabled toggle
3. Click Update Service Provider

Users will see an error when trying to authenticate via this SP.

Delete Service Provider

1. Click Delete button (trash icon) next to the Service Provider
2. Confirm deletion

Warning: This action is irreversible. Users will no longer be able to authenticate via this SP.

Security Best Practices

Certificate Management

• Expiration Monitoring: Check Certificate Expiration in dashboard
• Rotation: When certificate expires, Signia will display a warning
• Update Service Providers: After rotation, update Service Providers with new metadata

Access Control

• Review Service Providers Regularly: Remove unused SPs
• Disable Instead of Delete: For temporary access removal, use Enabled toggle
• Audit Logs: Monitor SSO activity (coming in future release)

Configuration Validation

• Test Before Production: Use development/staging Service Providers first
• Verify HTTPS: All ACS URLs must use HTTPS
• Check Certificate Fingerprint: Service Providers should verify against dashboard fingerprint

Troubleshooting

See SAML Troubleshooting Guide for common issues and solutions.

Quick Diagnostics

"SAML not enabled for this tenant"

• Ensure you clicked Enable SAML in dashboard
• Check that you're viewing the correct tenant

"Unknown Service Provider"

• Verify Entity ID in dashboard matches SP configuration exactly
• Check that Service Provider is Enabled

"Certificate expired"

• Generate new certificate (coming in future release)
• Download updated metadata
• Update all Service Providers with new certificate

Next Steps

• Okta SAML Integration
• Azure AD SAML Integration
• AWS Cognito SAML Integration
• SAML Troubleshooting

Related Documentation

• Core Concepts: Multi-Tenancy
• Core Concepts: WebAuthn/Passkeys