--- title: "SAML Single-Sign-On" img: https://s3.us-east-2.amazonaws.com/unified-article-images/saml_single_sign_on-icon.webp date: 2025-09-28T00:00:00.000Z tag: Guides description: "SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between parties, particularly between..." url: "https://docs.unified.to/guides/saml_single_sign_on" --- # SAML Single-Sign-On ------ _September 28, 2025_ SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP). [Unified.to](https://unified.to/) currently supports JumpCloud SAML. [Let us know](https://unified.to/contact) if you need another SAML identity provider. Here's how SAML works: ## **SAML Authentication Flow** **Key Components:** 1. **Identity Provider (IdP)** - The system that authenticates users (e.g., Active Directory, Okta, Azure AD) 2. **Service Provider (SP)** - The application the user wants to access (e.g., your Unified.to app) 3. **User** - The person trying to log in 4. **SAML Assertion** - XML document containing authentication/authorization information **Typical SAML SSO Flow:** 1. User → SP: "I want to access the application" 2. SP → User: Redirect to IdP with SAML AuthnRequest 3. User → IdP: Login with credentials 4. IdP → User: Redirect back to SP with SAML Response/Assertion **Detailed Steps:** 1. **User Access Request** - User visits your application and clicks "SAML SSO" login - Application generates a SAML Authentication Request (AuthnRequest) 2. **Redirect to Identity Provider** - User is redirected to their organization's IdP - AuthnRequest contains information about the SP and requested attributes 3. **User Authentication** - User enters their organizational credentials - IdP validates the credentials 4. **SAML Response Generation** - IdP creates a SAML Response containing a SAML Assertion - Assertion includes user identity, authentication method, session info, etc. 5. **Response Processing** - IdP redirects user back to SP with the SAML Response - SP validates the assertion signature and extracts user information - User is logged into the application **SAML Assertion Contents:** - **Subject**: Who the user is (NameID, email, etc.) - **Authentication Statement**: How they were authenticated - **Attribute Statement**: Additional user attributes (roles, groups, etc.) - **Conditions**: Validity period, audience restrictions - **Signature**: Cryptographic proof of authenticity **Common SAML Bindings:** - **HTTP Redirect**: Data passed via URL parameters - **HTTP POST**: Data posted in form fields - **HTTP Artifact**: Reference token exchanged for full assertion **Security Features:** - **Digital Signatures**: Ensure assertions haven't been tampered with - **Encryption**: Protect sensitive data in transit - **Time-based Conditions**: Assertions expire after set time - **Audience Restrictions**: Limit which SPs can use the assertion **Configuration Requirements:** **For Service Provider (your app):** - SAML metadata XML with entity ID, ACS URL, certificate - User attribute mapping (email, name, roles) - Certificate for signature validation **For Identity Provider:** - SP metadata containing endpoints and certificate - User attribute configuration - SSO URL configuration This is why SAML is popular for enterprise SSO - it provides secure, standardized authentication that integrates with existing corporate identity systems without requiring users to manage separate passwords for each application. ## **JumpCloud SAML Integration Setup** **1. JumpCloud Configuration (Identity Provider Side)** ### **Step 1: Create SSO Application in JumpCloud** 1. Log into JumpCloud Admin Portal 2. Navigate to **SSO Applications** 3. Click **+ Add New Application** 4. Search for "Custom SAML Application" or "Custom App" 5. Configure the application: - **Display Label**: "Unified.to" (or your app name) - **IdP Entity ID**: https://sso.jumpcloud.com/saml2/unified-to (or your preferred ID) - **SP Entity ID**: Your application's entity ID (e.g., https://api.unified.to/saml/metadata) ### **Step 2: Configure SAML Attributes** In the JumpCloud SSO configuration: - **ACS URL**: https://api.unified.to/saml/acs (your assertion consumer service endpoint) - **Audience**: https://api.unified.to/saml/metadata - **Name ID Format**: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress - **Attribute Mappings**: - email → https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - firstName → https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - lastName → https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - username → https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name ### **Step 3: Get JumpCloud Metadata** - Download the IdP metadata XML from JumpCloud - Note the **SSO URL** (usually https://sso.jumpcloud.com/saml2/unified-to) - Get the **X.509 Certificate** for signature validation # Configure SAML on Unified If you haven't registered an account, sign-in with any of our available Social or OAuth2 OIDC login options. Make sure to choose the relevant data region. Then proceed to the workspace settings and choose [SAML](https://app.unified.to/settings/saml). Select your Identity Provider. Either upload the SAML manifest XML file or input the SAML configuration settings from your identity provider. You can choose to restrict sign-ins to just SAML for your workspace. All existing and invited workspace members will then need to sign-in with SAML.