SAML integration

SAML integration allows you to enable Single Sign-On (SSO) for your application using Oten IDP.

This method is typically used for enterprise environments where users authenticate through an identity provider (IdP) instead of directly logging into the application.

Overview

In a SAML integration:

  • Oten acts as the Identity Provider (IdP)

  • Your application acts as the Service Provider (SP)

When a user tries to access your application:

  1. The user is redirected to Oten IDP

  2. The user authenticates with Oten

  3. Oten sends a SAML response back to your application

  4. The user is logged in

SAML supports:

  • SP-initiated login (user starts from your app)

  • IdP-initiated login (user starts from Oten)

Quick start

To integrate SAML with Oten IDP:

  1. Create a SAML integration in Oten Dev Portal

  2. Copy the IdP configuration from Oten:

    • SSO URL

    • Entity ID (Issuer)

    • Signing Certificate

  3. Configure these values in your Service Provider (application)

  4. Configure your application settings in Oten:

    • ACS URL

    • Audience (Entity ID)

  5. Test the SAML login flow

👉 After completing these steps, users can log in via Oten SSO

Configuration

1. Oten IDP (Identity Provider)

After creating a SAML integration, Oten will provide:

  • SSO URL (Single Sign-On URL)

  • Entity ID (Issuer)

  • Signing Certificate (PEM format)

These values must be configured in your application.

2. Service Provider (Your application)

In your application (e.g. GitHub, internal system), configure:

  • ACS URL (Assertion Consumer Service URL)

  • Audience / Entity ID

  • NameID format (recommended: email)

You will need to input the IdP values from Oten:

  • SSO URL

  • Issuer

  • Certificate

👉 In GitHub SSO, these fields correspond to:

  • Sign-on URL

  • Issuer

  • Public certificate

3. Attribute mapping

You can map user attributes from Oten to your application:

Common attributes:

  • email

  • name

  • username

Example (GitHub):

  • username → uid

  • email → emails

  • fullname → name

Test your integration

After configuration:

  1. Open your application login page

  2. Trigger SSO login (e.g. "Login with SSO")

  3. You will be redirected to Oten

  4. After login, you will be redirected back to your application

If successful:

  • A valid SAML response is returned

  • The user session is created in your application

Troubleshooting

Common issues:

Invalid SAML response

  • Check certificate format (PEM)

  • Ensure correct Issuer / Entity ID

Login fails after redirect

  • Verify ACS URL is correct

  • Ensure it matches exactly (including trailing slash)

User cannot access application

  • Check attribute mapping (email / username)

  • Ensure user exists or provisioning is enabled

Notes

  • SAML is primarily used for enterprise SSO scenarios

  • Configuration may vary depending on your Service Provider (GitHub, Okta, Google, etc.)

  • Some providers require additional settings such as:

    • Signed request/response

    • Specific NameID format

PreviousSingle page application clientNextManaging your integration applications

Last updated