SAML 2.0

Configure any SAML 2.0 identity provider for enterprise single sign-on with AccessIQ.

AccessIQ SAML Metadata

Use these values when configuring your identity provider:

Field	Value
ACS URL (Assertion Consumer Service)	`https://auth.accessiq.io/callback/saml`
Entity ID (SP Entity ID)	`https://auth.accessiq.io/sp`
Single Logout URL	`https://auth.accessiq.io/logout/saml`
Name ID Format	`urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`
Metadata URL	`https://auth.accessiq.io/metadata/saml`

Configure SAML IdP in AccessIQ

After setting up AccessIQ as a service provider in your IdP, configure the connection:

Configure SAML Identity Providerbash

curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/identity-providers \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "saml",
    "name": "Corporate SAML IdP",
    "enabled": true,
    "config": {
      "ssoUrl": "https://your-idp.com/saml/sso",
      "sloUrl": "https://your-idp.com/saml/slo",
      "certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
      "signatureAlgorithm": "sha256",
      "digestAlgorithm": "sha256",
      "requestBinding": "HTTP-Redirect",
      "responseBinding": "HTTP-POST"
    },
    "domains": ["yourcompany.com"]
  }'

Using Metadata URL

If your IdP provides a metadata URL, you can use it to automatically configure the connection:

Configure via Metadata URLbash

curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/identity-providers \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "saml",
    "name": "Corporate SAML IdP",
    "enabled": true,
    "metadataUrl": "https://your-idp.com/saml/metadata",
    "domains": ["yourcompany.com"]
  }'

Auto-Refresh

When using a metadata URL, AccessIQ will automatically refresh the IdP configuration when certificates are rotated.

Attribute Mapping

Map SAML assertion attributes to AccessIQ user fields:

SAML Attribute Mappingjson

{
  "attributeMapping": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
    "displayName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    "groups": "http://schemas.xmlsoap.org/claims/Group",
    "department": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department"
  }
}

Common Attribute URIs

Attribute	Common URI
Email	...claims/emailaddress
First Name	...claims/givenname
Last Name	...claims/surname
Groups	...claims/Group

Security Options

Sign Requests

Enable request signing for additional security. AccessIQ will sign all SAML authentication requests sent to your IdP.

Require Signed Assertions

Require all SAML assertions from your IdP to be signed. Recommended for production environments.

Encrypt Assertions

Request encrypted SAML assertions for sensitive environments. Requires uploading your encryption certificate.

Testing the Connection

Test SAML Connectionbash

curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/identity-providers/IDP_ID/test \
  -H "Authorization: Bearer YOUR_API_KEY"

# Response
{
  "success": true,
  "message": "SAML configuration valid",
  "metadata": {
    "entityId": "https://your-idp.com/saml/entity",
    "ssoUrl": "https://your-idp.com/saml/sso",
    "certificateExpiry": "2025-12-31T23:59:59Z",
    "signatureAlgorithm": "sha256"
  }
}

Certificate Expiry

SAML certificates typically expire after 1-3 years. Set up monitoring for certificate expiry to avoid authentication disruptions. AccessIQ will send notifications 30, 14, and 7 days before expiry.