SAML Single-Sign-On

September 30, 2025

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP).

Unified.to currently supports JumpCloud SAML. Let us know if you need another SAML identity provider.

Here's how SAML works:

SAML Authentication Flow

Key Components:

1. Identity Provider (IdP) - The system that authenticates users (e.g., Active Directory, Okta, Azure AD)
2. Service Provider (SP) - The application the user wants to access (e.g., your Unified.to app)
3. User - The person trying to log in
4. SAML Assertion - XML document containing authentication/authorization information

Typical SAML SSO Flow:

1. User → SP: "I want to access the application"

2. SP → User: Redirect to IdP with SAML AuthnRequest

3. User → IdP: Login with credentials

4. IdP → User: Redirect back to SP with SAML Response/Assertion

Detailed Steps:

1. User Access Request
   • User visits your application and clicks "SAML SSO" login
   • Application generates a SAML Authentication Request (AuthnRequest)
2. Redirect to Identity Provider
   • User is redirected to their organization's IdP
   • AuthnRequest contains information about the SP and requested attributes
3. User Authentication
   • User enters their organizational credentials
   • IdP validates the credentials
4. SAML Response Generation
   • IdP creates a SAML Response containing a SAML Assertion
   • Assertion includes user identity, authentication method, session info, etc.
5. Response Processing
   • IdP redirects user back to SP with the SAML Response
   • SP validates the assertion signature and extracts user information
   • User is logged into the application

SAML Assertion Contents:

• Subject: Who the user is (NameID, email, etc.)
• Authentication Statement: How they were authenticated
• Attribute Statement: Additional user attributes (roles, groups, etc.)
• Conditions: Validity period, audience restrictions
• Signature: Cryptographic proof of authenticity

Common SAML Bindings:

• HTTP Redirect: Data passed via URL parameters
• HTTP POST: Data posted in form fields
• HTTP Artifact: Reference token exchanged for full assertion

Security Features:

• Digital Signatures: Ensure assertions haven't been tampered with
• Encryption: Protect sensitive data in transit
• Time-based Conditions: Assertions expire after set time
• Audience Restrictions: Limit which SPs can use the assertion

Configuration Requirements:

For Service Provider (your app):

• SAML metadata XML with entity ID, ACS URL, certificate
• User attribute mapping (email, name, roles)
• Certificate for signature validation

For Identity Provider:

• SP metadata containing endpoints and certificate
• User attribute configuration
• SSO URL configuration

This is why SAML is popular for enterprise SSO - it provides secure, standardized authentication that integrates with existing corporate identity systems without requiring users to manage separate passwords for each application.

JumpCloud SAML Integration Setup

1. JumpCloud Configuration (Identity Provider Side)

Step 1: Create SSO Application in JumpCloud

1. Log into JumpCloud Admin Portal
2. Navigate to SSO Applications
3. Click + Add New Application
4. Search for "Custom SAML Application" or "Custom App"
5. Configure the application:

• Display Label: "Unified.to" (or your app name)
• IdP Entity ID: https://sso.jumpcloud.com/saml2/unified-to (or your preferred ID)
• SP Entity ID: Your application's entity ID (e.g., https://api.unified.to/saml/metadata)

Step 2: Configure SAML Attributes

In the JumpCloud SSO configuration:

• ACS URL: https://api.unified.to/saml/acs (your assertion consumer service endpoint)
• Audience: https://api.unified.to/saml/metadata
• Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
• Attribute Mappings:
  • email → https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • firstName → https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • lastName → https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • username → https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Step 3: Get JumpCloud Metadata

• Download the IdP metadata XML from JumpCloud
• Note the SSO URL (usually https://sso.jumpcloud.com/saml2/unified-to)
• Get the X.509 Certificate for signature validation

Configure SAML on Unified

If you haven't registered an account, sign-in with any of our available Social or OAuth2 OIDC login options. Make sure to choose the relevant data region.

Then proceed to the workspace settings and choose SAML.

Select your Identity Provider. Either upload the SAML manifest XML file or input the SAML configuration settings from your identity provider.

You can choose to restrict sign-ins to just SAML for your workspace. All existing and invited workspace members will then need to sign-in with SAML.