.png){kind=logo}
Use a SAML2 Domain to authenticate users via a SAML2 Identity Provider (IDP) such as Azure Entra ID, Okta, or ADFS. SAML2 domains support Admin Web Console login and attended Windows Agent login. They do not support unattended or headless agent authentication. For those scenarios, use a Certificate Users Domain or Local Users Domain.
Configure the Domain
-
In the Admin Web Console, navigate to Access > Domains and click New.
-
Set Domain Type to SAML2 and complete the common domain options (Alias, Concurrency, User Limit). See Domains for descriptions of these fields.
-
Configure the SAML2-specific settings:
IDP Configuration
|
Setting |
Description |
|---|---|
|
Import IDP Metadata |
Import an |
|
SP Entity ID |
The Service Provider entity ID that identifies Signum to your IDP. The format is |
|
Login URL |
The IDP's SAML SSO endpoint. Provided by your IDP. |
|
Logout URL |
The IDP's logout endpoint. Provided by your IDP. |
|
IDP X.509 Certificate |
The signing certificate from your IDP, used to verify SAML assertions. Provided by your IDP. |
|
ACS by index |
Disabled by default. Controls how Signum communicates the Assertion Consumer Service URL to the IDP in the authentication request. When disabled, Signum sends |
IDP-side Configuration (configure at your IDP)
|
Setting |
Description |
|---|---|
|
Assertion Consumer Service (ACS) URL |
This value is |
Attribute Mapping
Map the SAML assertion attributes to Signum user fields. The values here must match the attribute names your IDP includes in its SAML assertions.
|
Setting |
Description |
|---|---|
|
|
The attribute name your IDP uses for the user's email address. |
|
Name |
The attribute name your IDP uses for the user's first name. |
|
Last Name |
The attribute name your IDP uses for the user's last name. |
|
Groups |
The attribute name your IDP uses for group membership. Required if you want to assign Signum roles to IDP groups. |
User Provisioning & Authentication
|
Setting |
Description |
|---|---|
|
Automatic Provisioning of Users |
When enabled, Signum automatically creates a user record the first time someone authenticates via the IDP, importing their email, name, and group membership. When disabled, users must be created manually before they can log in. |
|
Use email as User Identifier |
When enabled, Signum uses the email attribute as the unique identifier for each user instead of the first/last name combination. Enable this for most organizations as it prevents duplicate accounts when users have common names. This setting cannot be changed after the domain is created. |
|
Case Sensitive NameID |
Enabled by default. When enabled, the NameID in the SAML assertion is treated as case-sensitive. Disable only if your IDP sends NameIDs in inconsistent casing. |
Troubleshooting: If a user successfully authenticates with the IDP but sees the error "User found, but does not belong to any roles", the user exists in Signum but has not been assigned a Role. Assign a role to the user manually, or configure SAML group-to-role mapping so group members receive a role automatically on first login.
SSO Login Button
You can add a button to the Admin Web Console login page that takes users directly to your IDP, bypassing the Signum login form.
-
Navigate to Access > Domains and select the SAML2 domain from the list.
-
Toggle Display SSO Login Button to on.
The button appears on the login page labelled with the domain alias. Multiple SSO buttons can be configured if you have more than one SAML or OAuth2 domain.
Direct IDP Login URL
To send users directly to the IDP login page without visiting the Signum login page at all, use the following URL format:
https://<your-signum-url>/login?domain=<domain-alias>
After authenticating at the IDP, users are redirected back to the Admin Web Console.