URLs & Endpoints
The callback, ACS, and metadata URLs Safeguard generates — and how they differ for SAML vs OIDC/social providers.
URLs & Endpoints
The URLs your IdP needs depend on whether you're configuring an OIDC/social provider or a SAML provider. Safeguard generates the exact values and shows them in the Add-Provider dialog after you click Save — copy them directly from there rather than typing them by hand.
OIDC and social providers
For OIDC and social (Google/Microsoft/GitHub) providers, register a single Redirect URI / Callback URL on the provider's side:
| URL | Purpose | Pattern |
|---|---|---|
| Redirect URI / Callback URL | Where the OAuth/OIDC provider sends the user back after login | https://api.safeguard.sh/auth/api/v1/sso/callback |
This is the same value you register as the "Redirect URI" / "Authorized redirect URI" on the provider's side.
SAML providers
The SAML brokered flow now goes through Safeguard's internal Keycloak broker, so a SAML IdP needs different values from OIDC/social — and they are per-provider and per-tenant. The external IdP must be configured with an ACS URL and an SP Entity ID that Safeguard generates and displays in the Add-Provider dialog after you click Save:
| URL | Purpose | Pattern |
|---|---|---|
| ACS URL | Where the SAML IdP sends the assertion after login | https://api.safeguard.sh/auth/idp/realms/<tenantId>/broker/<alias>/endpoint |
| SP Entity ID | The service-provider entity ID / audience the IdP asserts to | https://api.safeguard.sh/auth/idp/realms/<tenantId> |
| Metadata URL | SP metadata document some IdPs can import instead of manual field entry | https://api.safeguard.sh/auth/api/v1/sso/metadata/{tenantId}/{alias} |
Copy the exact ACS URL and SP Entity ID from the dialog — do not hand-type them. They are specific to your tenant and to this provider's alias, so the <tenantId> and <alias> segments are different for every provider you add.
If these URLs ever show
http://localhost:...instead ofhttps://api.safeguard.sh/..., do not paste them into your IdP — that means the auth service's public URL isn't configured correctly server-side. Contact Safeguard support rather than working around it.