A SAML2 client integrates a brand application with Strivacity authentication using the SAML 2.0 protocol and Strivacity no-code components.

This client type enables login and registration journeys managed by Strivacity while allowing a SAML SP to rely on Strivacity as the IdP.

You can configure this client in the Admin Console under Applications → select application → Clients → Create client → SAML2 using no-code components.

SAML2 clients include the following configuration tabs:

• General
• Application URLs
• Application launcher
• SAML2

General

Use the General tab to define basic client properties.

• Name: name displayed in the client list in the Admin Console.
• Description: optional description visible only in the Admin Console.
• Enabled: enables or disables the client. Disabled clients cannot be used for authentication.
• Base organization: restricts access to users from a specific organizational hierarchy. Only users belonging to the selected base organization can authenticate through this client. See Base organizations for details.
• Danger zone: allows you to delete the client.

  ❗️

  Deleting a client cannot be reversed.

Application URLs

Use the Application URLs tab to configure application-specific URLs used during authentication and navigation.

• Application domain: optional alternative domain for the application. Alternative domains allow the application to use a domain distinct from other applications in the instance.

  🚧

  By default, applications use the default domain, which is either

  Changing the application domain ends active customer sessions and removes remembered accounts.

• Website URL: the brand application homepage. Customers can access this page using the Back to website button.
• Login URL: URL that initiates authentication for the application.
• Shortcut for login URL: creates a short login URL that is easier to share with customers.
• Customer-friendly login page URL: customizes the login page URL that customers see in the browser address bar. By default, the login page URL uses the first seven characters of the client ID. You can override this with a more descriptive value.

Application launcher

The Application launcher tab configures how the application appears in the self-service portal.
The application launcher allows customers to access their applications directly from their accounts. Before application shortcuts can appear, the launcher must be enabled.

• Enable application launcher: enables the application launcher for the application. When enabled:
  • shortcuts for other applications may appear in the portal
  • the current application becomes available as a shortcut
• Display name: label displayed for the application shortcut.
• Logo URL: URL of the logo displayed for the application shortcut.

  📘

  Supported formats: SVG and PNG.

SAML2

The SAML2 tab contains the configuration required to integrate your SP with Strivacity.

• SP Entity ID: Uniquely identifies the SAML Service Provider. Strivacity uses this identifier to establish trust with the application.
• Assertion Consumer Service (ACS) URLs: The ACS URL is the endpoint on the SP where Strivacity sends the authentication response after a successful login.
• Default ACS URL: Defines which ACS endpoint Strivacity uses when multiple ACS URLs are configured.
• Single Logout (SLO) URLs: Define the endpoints used to coordinate logout across SAML applications. When a logout occurs, these endpoints allow Strivacity and the SP to terminate sessions across all participating services.
• Dialect: Defines the claim format used in SAML assertions. Depending on the requirements of the Service Provider, you may need to select one of the following formats:
  • urn:oasis:names:tc:SAML:2.0:attrname-format:uri
  • https://schemas.xmlsoap.org/ws/2005/05/identity/claims
    If you are unsure which format to use, consult the application owner or vendor.
• Name ID format: Defines how the user's identity is represented in the SAML assertion. Available options include:
  • Transient: A temporary identifier used only for the duration of a single session
  • Persistent: A stable identifier that remains consistent across sessions
  • Email address: Uses the customer’s email address
  • Unspecified: No specific format is enforced
• Name ID value: Specifies which attribute from the identity store populates the NameID element in the SAML assertion. This determines what user attribute represents the customer during authentication.
• Signing certificate: An X.509 certificate used to verify the authenticity and integrity of signed SAML messages. These messages can include:
  • Authentication requests
  • Logout requests
  • Logout responses
• Identity Provider metadata: You can download the Identity Provider metadata here. Service Providers often require this metadata when configuring a SAML integration with Strivacity. The metadata file contains configuration details such as:
  • Identity Provider endpoints
  • Signing certificates
  • Supported bindings

Well-known URLs

‌Use the following well-known endpoint to retrieve the SAML metadata for your Strivacity instance.