Skip to main content

Configure SAML Identity Provider

This guide explains the settings you’d need to use to configure SAML with your Identity Provider. Once this is set up you should get an XML metadata file that should then be configured using our API (or calling the API controller config method if using our NPM).

Please do not add a trailing slash at the end of the URLs.

Create them exactly as shown below:

  • Assertion consumer service URL / Single Sign-On URL / Destination URL: http://localhost:5225/api/oauth/saml

  • Entity ID / Identifier / Audience URI / Audience Restriction: https://saml.boxyhq.com

  • Response: Signed

  • Assertion Signature: Signed

  • Signature Algorithm: RSA-SHA256

  • Assertion Encryption: Unencrypted

SAML profile/claims/attributes mapping

As outlined in the guide above we try and support 4 attributes in the SAML claims - id, email, firstName, lastName. This is how the common SAML attributes map over for most providers, but some providers have custom mappings. Please refer to the documentation on Identity Provider to understand the exact mapping.

SAML AttributeJackson mapping
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressemail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamefirstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnamelastName

(Provider specific instructions coming soon)