authentik/website/docs/providers/saml.md

---
title: SAML Provider
---

This provider allows you to integrate enterprise software using the SAML2 Protocol. It supports signed requests and uses [Property Mappings](../property-mappings/#saml-property-mapping) to determine which fields are exposed and what values they return. This makes it possible to expose vendor-specific fields.
Default fields are exposed through auto-generated Property Mappings, which are prefixed with "authentik default".

| Endpoint               | URL                                                            |
| ---------------------- | -------------------------------------------------------------- |
| SSO (Redirect binding) | `/application/saml/<application slug>/sso/binding/redirect/`   |
| SSO (POST binding)     | `/application/saml/<application slug>/sso/binding/post/`       |
| IdP-initiated login    | `/application/saml/<application slug>/sso/binding/init/`       |
| Metadata Download      | `/api/v3/providers/saml/<provider uid>/metadata/?download/`|

You can download the metadata through the Webinterface, this link might be handy if your software wants to download the metadata directly.

The metadata download link can also be copied with a button on the provider overview page.

## Name ID

You can select a custom SAML Property Mapping after which the NameID field will be generated. If left default, the following checks are done:

- When the request asks for `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, the NameID will be set to the user's email address.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, the NameID will be set to the hashed user ID.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName`, the NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName`, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, the NameID will be set based on the user's session ID.
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00			`---`
			`title: SAML Provider`
			`---`

website: remove remaining /index URLs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-13 17:57:13 +00:00			`This provider allows you to integrate enterprise software using the SAML2 Protocol. It supports signed requests and uses [Property Mappings](../property-mappings/#saml-property-mapping) to determine which fields are exposed and what values they return. This makes it possible to expose vendor-specific fields.`
docs: replace Autogenerated with managed mappings 2021-02-16 18:18:57 +00:00			`Default fields are exposed through auto-generated Property Mappings, which are prefixed with "authentik default".`
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00
website/docs: update link for saml provider metadata Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #857 2021-05-11 11:44:51 +00:00			`\| Endpoint \| URL \|`
			`\| ---------------------- \| -------------------------------------------------------------- \|`
			\| SSO (Redirect binding) \| `/application/saml/<application slug>/sso/binding/redirect/` \|
			\| SSO (POST binding) \| `/application/saml/<application slug>/sso/binding/post/` \|
			\| IdP-initiated login \| `/application/saml/<application slug>/sso/binding/init/` \|
api: add v3 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-02 15:40:02 +00:00			\| Metadata Download \| `/api/v3/providers/saml/<provider uid>/metadata/?download/`\|
website/docs: update link for saml provider metadata Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #857 2021-05-11 11:44:51 +00:00
			`You can download the metadata through the Webinterface, this link might be handy if your software wants to download the metadata directly.`

			`The metadata download link can also be copied with a button on the provider overview page.`
providers/saml: add support for WindowsDomainQualifiedName, add docs for NameID 2021-01-28 21:00:40 +00:00
			`## Name ID`

			`You can select a custom SAML Property Mapping after which the NameID field will be generated. If left default, the following checks are done:`

			- When the request asks for `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, the NameID will be set to the user's email address.
			- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, the NameID will be set to the hashed user ID.
			- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName`, the NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier.
			- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName`, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier.
			- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, the NameID will be set based on the user's session ID.