SAML2 SSO Authentication
Overview
This document explains how to integrate an Identity Provider (IdP) with Scaler Global using SAML2 protocol.
Service Provider (SP) Details
Below are the endpoints required to configure the IdP.
| Purpose | URL | Also known as: |
|---|---|---|
| SP Metadata URL | https://app.scalerglobal.com/saml2/[company_uuid]/metadata | SP Entity ID, SP Metadata, Audience URI |
| ACS (Assertion Consumer Service) URL | https://app.scalerglobal.com/saml2/[company_uuid]/acs | Consumer Service URL, Reply URL, Recipient, Master SAML Processing URL |
| SLS (Single Logout Service) URL | https://app.scalerglobal.com/saml2/[company_uuid]/sls | Logout Response URL, Single Logout Consumer URL |
| Login Initiation (optional) | https://app.scalerglobal.com/saml2/[company_uuid]/login | SP-initiated login URL (not needed for IdP-initiated SSO) |
Replace [company_uuid] with the unique identifier assigned to the organization by our team.
Required Configuration Information
The following information from the Identity Provider configuration is required:
| Parameter | Description |
|---|---|
| IdP Entity ID | Unique identifier for the Identity Provider |
| IdP Login URL | The SAML Single Sign-On endpoint where AuthnRequests are sent |
| IdP Logout URL | (Optional) The SAML Single Logout endpoint to support SSO-wide logout |
| IdP X.509 Certificate | The IdP’s public signing certificate (PEM or raw content format) |
These parameters are often referred to in different IdP interfaces as:
| Required Parameter | Also Known As In Some IdPs |
|---|---|
| IdP Entity ID | Issuer, IdP Identifier, SAML IdP Entity ID |
| IdP Login URL | SSO URL, SAML SSO Endpoint, Login Redirect URL |
| IdP Logout URL | SAML Logout Endpoint, Single Logout URL (SLO) |
| IdP Certificate | X.509 Certificate, Signing Certificate |
Alternative: A SAML metadata XML file or a URL endpoint where the metadata can be retrieved (e.g., https://idp.example.com/metadata) may be provided instead.
All necessary configuration details (Entity ID, SSO URL, certificate, etc.) will be extracted from the metadata if provided.
Identity and Attribute Expectations
Email Address (Required)
An email address is required for user authentication. The email can be provided in one of the following ways:
- NameID (preferred): Set the NameID value to the user’s email address
- Email attributes (fallback): Provide the email in one of these attributes:
urn:oid:1.2.840.113549.1.9.1(X.500 email Object Identifier)email
✅ Users are authenticated by their email address. The IdP should send the email either as the NameID value or in one of the supported email attributes.
Optional SAML Attributes
Standard SAML attributes are supported to enrich the user profile (optional but recommended):
| Attribute | Supported Attributes |
|---|---|
urn:oid:1.2.840.113549.1.9.1, email | |
| First Name | urn:oid:2.5.4.42, firstName |
| Last Name | urn:oid:2.5.4.4, lastName |
These attributes should be mapped in the IdP if user profiles are to include names.
Initial User Permissions (Portfolios & Assets)
It is possible to specify initial permissions for users on specific portfolios and assets when they join the platform for the first time. This is done by including custom SAML attributes in the assertion:
- permissions:portfolio: Grants permissions for specific portfolio IDs.
- permissions:asset: Grants permissions for specific asset IDs.
Each attribute value should be in the format:
<id>:<permission>
Where <id> is the portfolio or asset ID, and <permission> is either view or edit.
Example SAML AttributeStatement:
<saml:AttributeStatement>
<saml:Attribute Name="permissions:portfolio">
<saml:AttributeValue>101:view</saml:AttributeValue>
<saml:AttributeValue>102:edit</saml:AttributeValue>
<saml:AttributeValue>103:edit</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="permissions:asset">
<saml:AttributeValue>3001:view</saml:AttributeValue>
<saml:AttributeValue>3002:edit</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>- If provided, these permissions are set for the user on their first login.
- If omitted, default access rules apply.
Single Logout (Optional)
SAML Single Logout (SLO) is supported via the SLS endpoint.
If the IdP supports SLO:
-
Configure the IdP Logout URL to send logout responses to the SLS URL:
https://app.scalerglobal.com/saml2/[company_uuid]/sls -
The local user session will be terminated when receiving logout requests or responses.