SAML 2.0
Generic SAML setup steps that apply to any IdP, plus links to fifteen provider-specific guides.
SAML 2.0
Use this when your IdP is not Google, Microsoft, or GitHub, or when you specifically want a SAML (rather than OAuth) integration with one of those.
Every IdP below needs an explicit
Generic steps (any SAML IdP)
-
In your IdP, create a new SAML application/integration.
-
Set the IdP's ACS URL (sometimes called Reply URL or Single Sign-On URL) to the ACS URL Safeguard shows in the dialog after Save (the
.../auth/idp/realms/.../broker/<alias>/endpointvalue). -
Set the IdP's Entity ID / Audience (SP Entity ID) to the SP Entity ID Safeguard shows (the
.../auth/idp/realms/<tenantId>value). You'll enter the IdP's entity ID (not this one) into Safeguard in a later step. -
Set Name ID format to
Email/EmailAddress, and map the Name ID to the user's email attribute. -
Also add an explicit attribute statement/mapping (separate from the Name ID) with the attribute name
email, mapped to the user's email address. Safeguard reads email from this named attribute, not from the Name ID directly — most IdPs let you add this in an "Attribute Statements" or "Attribute Mapping" section of the same app config. Skipping this is the most common reason a SAML login otherwise appears fully configured but fails with a claim/email error. -
From the IdP, collect three values: the SSO/Login URL, the Entity ID / Issuer, and the X.509 signing certificate (PEM format).
-
In Safeguard, click Add Provider → SAML 2.0 and fill in:
Field Value Alias A short, URL-safe id, e.g. okta,entra,acme-sso(lowercase letters, numbers, hyphens only)Display Name What users see on the login screen, e.g. "Sign in with Okta" SSO Service URL The IdP's SSO/Login URL from step 6 Entity ID The IdP's Entity ID / Issuer from step 6 X.509 Certificate Paste the full PEM certificate, including -----BEGIN CERTIFICATE-----/-----END CERTIFICATE----- -
Click Save. Copy the ACS URL, SP Entity ID, and Metadata URL shown, and paste the ACS URL and SP Entity ID back into your IdP's app configuration if you hadn't already (some IdPs let you finish setup before these values exist — that's fine, just go back and update them now).
-
Assign users/groups to the app in your IdP.
-
Back in Safeguard, click Test next to the new provider.