Identity Provider (IdP) Mode
In SAML 2.0 (OASIS XML-based SSO standard), an Identity Provider authenticates users and issues signed XML assertions that Service Providers trust. Configure LumoAuth as a SAML IdP to provide SSO to applications like Salesforce, Box, Slack, AWS Console, or custom enterprise apps.
SP-Initiated SSO Flow
In the most common flow, the user starts at the SP application, which redirects to LumoAuth for authentication.
IdP Metadata Endpoint
GET
/orgs/\{orgId\}/saml/idp/metadata
Returns the SAML IdP metadata XML document. Provide this URL to SP applications to configure SAML SSO automatically.
Example Request
curl https://app.lumoauth.dev/orgs/acme-corp/saml/idp/metadata
Response
MIICo...
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Single Sign-On Endpoint
GET/POST
/orgs/\{orgId\}/saml/idp/sso
Receives SAML AuthnRequests from Service Providers. Supports both HTTP-Redirect and HTTP-POST bindings.
HTTP-Redirect Binding (GET)
| Parameter | Required | Description |
|---|---|---|
SAMLRequest | Yes | Base64 + DEFLATE encoded AuthnRequest |
RelayState | No | Opaque state preserved through SSO |
SigAlg | If signed | Signature algorithm |
Signature | If signed | Request signature |
HTTP-POST Binding (POST)
| Parameter | Required | Description |
|---|---|---|
SAMLRequest | Yes | Base64 encoded AuthnRequest |
RelayState | No | Opaque state preserved through SSO |
Processing Flow
- Decode and parse the AuthnRequest
- Validate the request (signature if required)
- If user is logged in, generate SAML Response immediately
- If user is not logged in, redirect to login page
- After authentication, generate signed SAML Response
- POST the Response to SP's ACS URL
SAML Response Structure
LumoAuth generates signed SAML Responses containing user assertions:
https://app.lumoauth.dev/orgs/acme-corp/saml/idp/metadata
...
https://app.lumoauth.dev/orgs/acme-corp/saml/idp/metadata
user@example.com
https://sp.example.com
user@example.com
John
Doe
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Configuration Guide
Step 1: Add the SP Application
- Navigate to SAML Apps in your organization portal
- Click New SAML App
- Enter the SP configuration:
- Name: Application display name
- Entity ID: SP's unique identifier
- ACS URL: Where to send SAML Responses
- Configure NameID format and attributes
- Save the configuration
Step 2: Configure the SP Application
Provide your IdP metadata to the SP application. Most SPs accept a metadata URL:
{
"User.Email": "email",
"User.FirstName": "givenName",
"User.LastName": "sn",
"User.Department": "department",
"User.EmployeeNumber": "employeeNumber"
}
Popular SP Configuration
Salesforce
| Entity ID | https://saml.salesforce.com |
|---|---|
| ACS URL | https://login.salesforce.com/... |
| NameID | emailAddress (Federation ID) |
Box
| Entity ID | box.net |
|---|---|
| ACS URL | https://app.box.com/saml/... |
| NameID | emailAddress |
Slack
| Entity ID | https://slack.com |
|---|---|
| ACS URL | https://your-workspace.slack.com/sso/saml |
| NameID | emailAddress |
Certificate Management
LumoAuth generates X.509 certificates automatically for each organization:
- RSA 2048-bit keys with SHA-256 signatures
- Default validity: 3 years
- Automatic generation on first use
- Custom certificate import available
Plan certificate rotation in advance. LumoAuth can publish multiple certificates at once so SP applications can switch over without downtime.