Setup an external SAML2 identity provider

To allow customers to sign in using an external SAML2 identity provider, add the provider configuration in Enterprise login.

To create the login provider

Following these steps will enable you to set up an external SAML2 identity provider (and your application).

1. In the Admin Console, go to Identities → Enterprise login.

2. Select Create.

3. Choose SAML as the provider type.

4. Complete the settings in the left-hand side panel. These fields define how the provider appears to customers and how profile data is handled.

   Field name	Description
   Name	Enter a display name for the provider.
   Description	Optional. Add notes to help other administrators identify the configuration.
   Policy tag	Select an optional tag to apply to this provider.
   Login button text	Customize the text displayed on the login button for this provider.
   Synchronize and store profile data at each login	Retrieve and update profile data from the IdP each time a customer signs in.
   Only store mapped values	Store only attributes mapped to identity store fields. If disabled, full metadata from the IdP is retained for troubleshooting.

5. Complete the settings in the Configuration tab. These settings define how Strivacity connects to and authenticates with the external identity provider.

   Field name	Description
   Entity ID	The unique identifier used by Strivacity to establish trust with the external identity provider.
   IdP metadata — URL	Enter the publicly accessible URL where Strivacity can retrieve the SAML metadata from the external identity provider.
   IdP metadata — File	Alternatively, upload the XML metadata file exported from the IdP’s admin interface (maximum file size 1 MB).
   Metadata preview	Displays a high-level summary of the SAML metadata after the provider is created, to verify it was imported correctly.
   Force authentication	If enabled, instructs the IdP to always prompt for login instead of reusing an existing session (ForceAuthn=true).
   NameID format	Select the name identifier format to include in the SAML request (EmailAddressNameIDFormat or PeristentNameIDFormat).
   Protocol binding	Choose how SAML messages are sent between Strivacity and the IdP (HTTPPostBinding or HTTPRedirectBinding).
   Enable IdP-initiated login from this provider	Allow customers to log in using a direct IdP-initiated SSO link without an SP request. Deep-linking is not supported. If multiple providers share the same Entity ID, login will fail.

6. Select Save to create the provider.

7. After saving, open the Claim mappings tab to map IdP claims to your identity store fields.

8. Select Save again.

📘

Enable Only store mapped values after testing to avoid retaining unnecessary data from the IdP.