SAML identity provider configuration, IDaaS SAML login, enterprise identity federation - Identity as a Service

Connect Microsoft Entra ID, Okta, ADFS, Google Workspace, or any SAML 2.0 identity provider to IDaaS EIAM. This topic describes how to configure the IdP in IDaaS, update the IdP application settings, and verify SSO.

Key concepts

Binding a SAML identity provider lets users sign in to IDaaS EIAM with their existing enterprise identity accounts.

Concept	Description
SAML	Security Assertion Markup Language, an XML-based open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). IDaaS EIAM uses SAML 2.0.
IdP	Identity Provider. An external identity system such as Entra ID, Okta, or ADFS that authenticates users and returns SAML assertions.
SP	Service Provider. IDaaS EIAM acts as the SP, receiving and parsing SAML assertions returned by the IdP to complete user sign-in.
Federated authentication	The SP trusts and uses the authentication result from the IdP. IDaaS EIAM trusts authentication results from identity providers such as Entra ID, Okta, ADFS, or Google Workspace to enable single sign-on (SSO).

Create a SAML identity provider in IDaaS

In the IDaaS EIAM console, click Identity Providers > Inbound > Add Inbound, select SAML Identity Provider, and then click Add.
In the dialog box that appears, configure the following settings in the Bind SAML Identity Provider section:
- Display Name: a name for the SAML identity provider. This name appears on the sign-in page.
- Logon Settings: enter the Metadata URL from your IdP, and then click Parse. The system automatically parses the XML and retrieves the IdP SSO URL, IdP Entity ID, and Signature Verification Certificate.
Click Next to proceed to the scenario selection page.

Select the account binding scenarios that match your requirements, and then click Create.

Scenario	Description
Manual Account Binding	Prompts users to manually link their SAML account to an IDaaS account if no binding exists.
Automatic Account Binding	Automatically binds the account if the IDaaS field value matches the NameID in the SAML Response and no binding exists.
Auto create user	Creates a new IDaaS account for unregistered SAML users. Account information updates on each sign-in.
Automatically Update Information	Updates account information from SAML assertion attributes on each sign-in, based on field mapping rules.

If you enable Automatically Update Information, the Field Mapping configuration page appears. For configuration details, see SAML IdP Field Mapping Configuration Guide.

Configure SSO settings in your IdP

In the IDaaS EIAM console, click Identity Providers > IdPs > Inbound, and then click Configuration Information for the SAML identity provider you created. Copy the SP ACS URL and SP Entity ID values.
Open your IdP application, find the SAML configuration section, and update the SP ACS URL and SP Entity ID settings with the values you copied.

Verify SSO

Open the IDaaS EIAM user portal. The SAML identity provider appears as a sign-in option under other sign-in methods.
Click the sign-in option. The browser redirects to the IdP for authentication.
- If you are not signed in to the IdP, enter your credentials. After sign-in, the browser redirects back to IDaaS.
- If you are already signed in, the browser redirects directly back to IDaaS.
After authentication, the system matches the account based on your binding scenario. If no automatic match is found, the system prompts for manual binding or creates an account, depending on your configuration.