Service Provider (SP) Mode

In SAML 2.0 (OASIS XML-based SSO standard), a Service Provider trusts an Identity Provider to authenticate users and issue signed assertions. Configure LumoAuth as a SAML SP to accept logins from external IdPs like Okta, Azure AD, OneLogin, PingIdentity, or ADFS. Use SP mode when users already have identities in a corporate directory and you want them to sign into LumoAuth-protected applications with those credentials.

SP-Initiated SSO Flow

In the SP-initiated flow, the user begins at your application and is redirected to the external IdP for authentication.

SP Metadata Endpoint

GET /orgs/\{orgId\}/saml/sp/metadata

Returns the SAML SP metadata XML document. Provide this URL to your external IdP to configure the integration automatically.

Example Request

curl https://app.lumoauth.dev/orgs/acme-corp/saml/sp/metadata

Response

MIICo...
                
            urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

GET /orgs/\{orgId\}/saml/sp/login

Initiates the SAML SSO flow by generating an AuthnRequest and redirecting the user to the configured external IdP.

Parameters

Parameter	Required	Description
`RelayState`	No	URL to redirect to after successful SSO

Example

url

https://app.lumoauth.dev/orgs/acme-corp/saml/sp/login
    ?RelayState=https://app.example.com/dashboard

GET /orgs/\{orgId\}/saml/sp/login/\{idpId\}

When multiple IdPs are configured, use this endpoint to specify which IdP to use:

url

https://app.lumoauth.dev/orgs/acme-corp/saml/sp/login/42

Assertion Consumer Service (ACS)

POST /orgs/\{orgId\}/saml/sp/acs

Receives and processes SAML Responses from the IdP. This endpoint:

Validates the SAML Response signature
Verifies the assertion audience and timestamps
Extracts user attributes from the assertion
Creates or updates the user (JIT provisioning)
Establishes a session and redirects to RelayState

Request Body (from IdP)

Parameter	Description
`SAMLResponse`	Base64-encoded SAML Response XML
`RelayState`	Optional redirect URL preserved from AuthnRequest

Direct Calls Not Supported

The ACS endpoint only accepts SAML responses from configured IdPs. Do not call it directly — it is only meant to be invoked as part of the SSO redirect flow.

Single Logout (SLO)

GET/POST /orgs/\{orgId\}/saml/sp/slo

Handles Single Logout requests and responses. Supports both IdP-initiated and SP-initiated logout.

Configuration Guide

Step 1: Get Your SP Metadata

Copy your SP metadata URL and provide it to your external IdP:

Your SP Metadata

https://app.lumoauth.dev/orgs/{your-organization}/saml/sp/metadata

Step 2: Configure the External IdP

In your IdP's admin console, create a new SAML application with these settings:

Setting	Value
ACS URL	`https://app.lumoauth.dev/orgs/\{organization\}/saml/sp/acs`
Entity ID	`https://app.lumoauth.dev/orgs/\{organization\}/saml/sp/metadata`
NameID Format	`emailAddress`
SLO URL	`https://app.lumoauth.dev/orgs/\{organization\}/saml/sp/slo`

Step 3: Add the IdP to LumoAuth

Navigate to SAML IdPs in your organization portal
Click Add IdP
Enter the IdP's metadata:

Entity ID: IdP's unique identifier
SSO URL: IdP's Single Sign-On endpoint
Certificate: IdP's X.509 signing certificate

Configure security and provisioning options
Save and test

Security Settings

Setting	Default	Description
`Require Signed Responses`	✓ Enabled	Verify the SAML response is signed by the IdP
`Require Signed Assertions`	✓ Enabled	Verify the assertion within the response is signed
`Sign AuthnRequests`	Disabled	Sign authentication requests sent to the IdP
`Clock Skew Tolerance`	180 seconds	Allowable time difference for assertion validation

Just-In-Time (JIT) Provisioning

JIT provisioning automatically creates user accounts on their first SAML login:

Setting	Description
`JIT Provisioning Enabled`	Create new users automatically on first login
`Update User on Login`	Sync user attributes from SAML on each login
`Default Roles`	Roles assigned to newly provisioned users

Attribute Mapping

SAML attributes are mapped to user fields automatically:

SAML Attribute	User Field
`email`, `mail`, `emailAddress`	Email
`displayName`, `name`, `cn`	Display Name
`givenName`, `firstName`	First Name
`surname`, `lastName`, `sn`	Last Name

Popular IdP Configuration

Okta

In Okta Admin, go to Applications → Create App Integration → SAML 2.0
Set Single sign on URL to your ACS URL
Set Audience URI to your SP Entity ID
Configure attribute statements (email, firstName, lastName)
Copy the IdP metadata URL from the Sign On tab

Azure AD / Entra ID

In Azure Portal, go to Enterprise Applications → New application → Non-gallery
Set up single sign-on → SAML
Enter your SP Entity ID and Reply URL (ACS)
Download the Federation Metadata XML

OneLogin

In OneLogin, go to Applications → Add App → SAML Custom Connector
Configure ACS URL and Audience
Download the IdP metadata

Error Responses

Error	Cause	Solution
Invalid Signature	IdP certificate mismatch	Update the IdP certificate in your configuration
Audience Mismatch	SP Entity ID doesn't match	Verify the Audience in IdP matches your SP Entity ID
Assertion Expired	Clock skew between servers	Sync server clocks or increase clock skew tolerance
No IdP Configured	Missing IdP configuration	Add the IdP configuration in the organization portal
Missing NameID	IdP not sending NameID	Configure NameID in the IdP application settings

SP-Initiated SSO Flow​

SP Metadata Endpoint​

Example Request​

Response​

SSO Login Endpoint​

Parameters​

Example​

Login with Specific IdP​

Assertion Consumer Service (ACS)​

Request Body (from IdP)​

Single Logout (SLO)​

Configuration Guide​

Step 1: Get Your SP Metadata​

Step 2: Configure the External IdP​

Step 3: Add the IdP to LumoAuth​

Security Settings​

Just-In-Time (JIT) Provisioning​

Attribute Mapping​

Popular IdP Configuration​

Okta​

Azure AD / Entra ID​

OneLogin​

Error Responses​