Skip to main content
Version: Latest (4.0.0)

SAML SP Integration

cidaas 4.x can act as a SAML 2.0 Identity Provider (IdP) for an external Service Provider (SP) application. Registering the external SP takes just a few minutes in Trustdesk: create an application of type SAML_SP, paste in the SP's metadata, and cidaas handles the rest — issuing signed (and optionally encrypted) SAML assertions once your users authenticate.

SAML_SP vs. SAML login providers This page covers registering an external Service Provider so cidaas acts as its IdP, via Integrations → Applications. It's the opposite direction from SAML IDP Providers under Providers → Identity Providers, where you add an external SAML IdP so your users can log in to cidaas through it — see SAML 2.0 Single Sign-On. Don't confuse the two: this page is about cidaas issuing SAML assertions, not consuming them.

Where to configure

PlatformLocation
Trustdesk (cidaas 4.x)Integrations → Applications → + Create Application → SAML Identity Provider

This app type and creation wizard are Trustdesk-only — there is no legacy Admin Dashboard equivalent.

Prerequisites

Before creating a SAML_SP application, make sure you have:

  • Admin access to Trustdesk with app-create permissions (APP_CREATE, APP_MANAGER, or an equivalent role in CIDAAS_ADMINS).
  • The external SP's SAML metadata (XML), ready to paste in — up to 256KB.
  • Any custom scopes you want to allow, created in advance.

Creating the app

Selecting the SAML Identity Provider template starts a short wizard with five steps.

Step 1: Basic information

Sets the application's identity: client_name, client_display_name, company_name, company_address, and company_website.

Step 2: OAuth settings

This step exists because the app-creation form is shared across all application types — for SAML_SP it's effectively fixed rather than meaningful configuration: grant_types is set to implicit and response_types to token, neither of which drives the actual SAML flow. You can still choose allowed_scopes from your tenant's existing scopes.

Step 3: SAML configuration

The core step. You provide:

  • IdP config name (idp_config_name) — an internal label for this configuration.
  • SP metadata (sp_meta) — paste the external SP's metadata XML directly into the field (up to 256KB). There's no file upload or fetch-by-URL option; the metadata is parsed from this text.
  • NameID format (name_id_format) — the SAML NameID format cidaas should use in assertions.
  • Optionally, IdP-initiated login (enable_idp_initiated_login + idp_initiated_sp_redirect_url).
  • Optionally, assertion signing (enable_signature + signature_config: which parts to sign, and the algorithm).
  • Optionally, assertion encryption (enable_encryption + encryption_config: which parts to encrypt, algorithm, and key transport algorithm).

Known limitation: in rare cases, the signature or encryption configuration can save as empty even when enabled. After saving, open the app's SAML configuration again and verify the signing/encryption settings were applied as expected.

Step 4: Attribute mapping

Map internal user field keys to the SAML attribute URNs the external SP expects, with a data type and optional default value per mapping.

Step 5: Review

A summary step shared with other application types — review your settings before submitting.

After creation

The application's detail page includes a SAML Metadata card where you can review and update the SAML configuration (metadata, signing, encryption, attribute mapping) at any time.

What to configure next

Creating the SAML_SP application registers the SP and its SAML behavior. The following are configured separately, after the app exists — they're not part of the creation wizard:

SettingField on the appConfigure inLearn more
User Setupuser_setup_idUser SetupUser Setup
Hosted Pages Layouthosted_pages_layout_idBranding → Hosted Pages LayoutHosted Pages Management
Group selection at loginauthentication_setup.group_selection_idPermission Setup → Group SelectionGroup Selection
Verification options / auth setupauthentication_setup (incl. verification_options_id)SecureOps → Verification OptionsSee the "Authentication & MFA" row in App management → Configuration sections

The Group Selection pages linked above still describe the legacy Admin Dashboard UI rather than Trustdesk — the underlying concept and field (group_selection_id) are current, but the walkthrough hasn't been updated for Trustdesk yet.

API reference

The SAML-specific fields (sp_meta, signature_config, encryption_config, attribute_mapping, and related settings) are configured through the Trust Desk UI only — there is currently no public v4 API for them. General application fields (client_type, client_name, allowed_scopes, and so on) are covered by the App Configuration API.

Need help?

For assistance, visit our Support Portal.