SAML (1.1 or 2.0)

Sym can be configured to work with any external Identity Provider (IdP) that supports SAML 1.1 or SAML 2.0.

Follow this guide to configure Sym as a SAML Service Provider, using your Identity Provider (IdP) for SSO.

Get Metadata from Identity Provider (IdP)

The first step is to get the relevant metadata and certificate from your IdP.


Note: Some Identity Providers will allow you to download a metadata xml file that contains the information listed below.

  • SSO URL: This is the URL from the IdP that authentication requests are sent to.
  • Logout URL: This is the URL that SAML logout requests should be sent to.
  • Signing certificate: This is the certificate used to validate the signature of the signed assertions.

You should be able to download the signing certificate from the IdP. This certificate needs to be in the .pem or .cer format.

Send Metadata to Sym

Use your shared Slack channel or support email to send the metadata and certificate to Sym.

Sym will take this metadata and certificate and configure your account. We will then send you back additional configuration information for your IdP, in the form of a metadata file.

Add Service Provider Info to IdP


Note: Some Identity Providers will allow you to upload a metadata xml file that contains the configuration data provided by Sym.

  1. Navigate to the SAML configuration screen in your Identity Provider. If your IdP supports uploading a metadata file, you will be able to upload the metadata file provided by Sym. Otherwise, follow the steps below.

  2. Configure Assertion Consumer Service URL or Application Callback URL. This will be in the format https://YOUR_DOMAIN/login/callback?connection=YOUR_CONNETION_NAME

  3. If your IdP supports Audience or Entity ID field based on the Entity ID provided: "audience":"urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME".

  4. If your IdP supports a choice for bindings, choose HTTP-Redirect for Authentication Requests.

  5. Configure Single Logout Service URL as https://YOUR_DOMAIN/logout.

  6. Configure Signing Logout Requests. Ensure that SAML Logout Requests are signed.

Validate Setup

Now that you have your Identity Provider configured, its time to test!

  1. Ask Sym to validate the configuration.
  2. Run symflow login (read more about symflow), which will launch your Identity Provider and enable you to log in.

What’s Next
Did this page help you?