> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getcollate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML SSO Configuration | Collate

> Step-by-step guide to configure SAML-based SSO using ADFS, Okta, or Shibboleth for secure enterprise authentication and federated login in Collate.

# SAML SSO Configuration

* [Troubleshooting](#troubleshooting)

SAML (Security Assertion Markup Language) SSO enables users to authenticate with enterprise identity providers such as ADFS, Shibboleth, or Okta. This setup allows secure, federated login to Collate through SAML assertions.

This guide walks you through configuring Collate with a SAML provider using **Confidential client** settings (Client ID + Client Secret).

## Overview

Collate supports Single Sign-On (SSO) integration with various identity providers, enabling secure, centralized user authentication.

* **Navigate to:** `Settings > SSO`

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/google/sso1.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=ffcbc0c14e8f1c912b978e6b0a6f3692" alt="SSO Authentication" width="1438" height="672" data-path="public/images/deployment/security/google/sso1.png" />

* Select the service provider.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/google/sso2.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=a534cdd6107cf831390060ed68d467f2" alt="Supported Providers" width="1438" height="679" data-path="public/images/deployment/security/google/sso2.png" />

Click Configure to set up Single Sign-On (SSO). After completing the configuration, click Save to apply the changes.

<img src="https://mintcdn.com/collatedocs/wwtXdk45pV9o-D6V/public/images/deployment/security/saml/saml1.png?fit=max&auto=format&n=wwtXdk45pV9o-D6V&q=85&s=3b4215959ce0647bcfb2375f400579c5" alt="SAML SSO Configuration" width="1438" height="672" data-path="public/images/deployment/security/saml/saml1.png" />

## Configuration Fields

This section contains the form fields that must be completed when setting up Single Sign-On (SSO).

### Client ID

* **Definition:** Client identifier for this SAML configuration.
* **Example:** `saml-client-123`
* **Why it matters:** Useful for tracking and management.
* **Note:** Optional in SAML setup.

### Enable Self Signup

* **Definition:** Allows new users to auto-create accounts on first login.
* **Options:** Enabled | Disabled
* **Example:** Enabled

### Public Key URLs

* **Definition:** URLs for verifying JWT signatures (used if SAML generates JWT).
* **Example:** `["https://yourapp.company.com/.well-known/jwks.json"]`

### IdP Entity ID

* **Definition:** Identifier for your Identity Provider (IdP).
* **Example:** `https://adfs.company.com/adfs/services/trust`

### SSO Login URL

* **Definition:** URL where users are redirected to log in with your IdP.
* **Example:** `https://adfs.company.com/adfs/ls/`

### IdP X.509 Certificate

* **Definition:** Certificate used to verify incoming SAML assertions.
* **Note:** Must include the full certificate with `BEGIN` and `END` lines.

### Authority URL

* **Definition:** Used for IdP-initiated login flows.
* **Example:** `https://adfs.company.com/adfs/ls/idpinitiatedsignon.aspx`

### Name ID Format

* **Definition:** Format used to identify users.
* **Default/Example:** `urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress`

### Assertion Consumer Service (ACS) URL

* **Definition:** URL where SAML assertions are sent post-authentication.
* **Example:** `https://openmetadata.company.com/api/v1/saml/acs`

### SP X.509 Certificate

* **Definition:** Collate’s public certificate.
* **Note:** Required if you want to sign authentication requests.

### SP Private Key

* **Definition:** Used to sign SAML requests or decrypt assertions.
* **Note:** Must be stored securely.

### SP Callback URL

* **Definition:** Redirect path after successful login.
* **Example:** `https://openmetadata.company.com/saml/callback`

### Token Validity

* **Definition:** Token expiration time in seconds.
* **Default:** 3600
* **Example:** 7200

### Send Signed Auth Request

* **Definition:** Whether to sign SAML requests from Collate.
* **Default:** false
* **Example:** true

### Want Messages Signed

* **Definition:** Require SAML messages to be signed by IdP.
* **Default:** false
* **Example:** true

### Want Assertions Signed

* **Definition:** Require assertions to be signed by IdP.
* **Default:** false
* **Example:** true

### Debug Mode

* **Definition:** Enable detailed logs for SAML login attempts.
* **Default:** false
* **Example:** true
* **Note:** Use only for troubleshooting. Disable in production.

### JWT Principal Claims

* **Definition:** Claims used to identify the user (when SAML generates JWT).
* **Example:** `["preferred_username", "email", "sub"]`

### JWT Principal Claims Mapping

**Definition:** Maps SAML assertion attributes to Collate user profile fields.

**Supported keys:** Only `email` and `username` are valid mapping targets in `jwtPrincipalClaimsMapping`.

**Example:**

```yaml theme={null}
["email:email", "username:preferred_username"]
```

**Why it matters:** Controls how SAML assertion data maps to user profiles in Collate.

**Format:** `collate_field:saml_attribute` (for example, `"email:email"`).

<Note>
  **Note:** The display name is derived automatically from standard SAML attributes — you don't need to configure it using `jwtPrincipalClaimsMapping`.
</Note>

If you need richer name handling, make sure your IdP (ADFS, Okta, Shibboleth) is configured to include `given_name` and `family_name` in the SAML assertion — Collate will pick them up automatically.

<Warning>
  **Important:** Using any other key (for example, `name` or `firstName`) will cause the service to fail on startup with a validation error.
</Warning>

### Admin Principals

* **Definition:** Users with admin access in Collate.
* **Example:** `["admin@example.com", "security@example.com"]`

### Principal Domain

* **Definition:** Default domain used to resolve user identity.
* **Example:** `company.com`

### Enforce Principal Domain

* **Definition:** Restrict access to users within a specific domain.
* **Default:** false
* **Example:** true

### Enable Secure Socket Connection

* **Definition:** Enable SSL/TLS for secure SAML communication.
* **Default:** false
* **Example:** true
* **Note:** Strongly recommended for production environments.

***

## ✅ Summary Table

| **Field**                | **Example / Default**                                                                                                |
| ------------------------ | -------------------------------------------------------------------------------------------------------------------- |
| Client ID                | saml-client-123                                                                                                      |
| Enable Self Signup       | Enabled                                                                                                              |
| Public Key URLs          | [https://yourapp.company.com/.well-known/jwks.json](https://yourapp.company.com/.well-known/jwks.json)               |
| IdP Entity ID            | [https://adfs.company.com/adfs/services/trust](https://adfs.company.com/adfs/services/trust)                         |
| SSO Login URL            | [https://adfs.company.com/adfs/ls/](https://adfs.company.com/adfs/ls/)                                               |
| IdP X509 Certificate     | Multiline PEM certificate                                                                                            |
| Authority URL            | [https://adfs.company.com/adfs/ls/idpinitiatedsignon.aspx](https://adfs.company.com/adfs/ls/idpinitiatedsignon.aspx) |
| Name ID Format           | urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress                                                               |
| ACS URL                  | [https://openmetadata.company.com/api/v1/saml/acs](https://openmetadata.company.com/api/v1/saml/acs)                 |
| SP X509 Certificate      | Multiline PEM certificate                                                                                            |
| SP Private Key           | Multiline PEM private key                                                                                            |
| SP Callback URL          | [https://openmetadata.company.com/saml/callback](https://openmetadata.company.com/saml/callback)                     |
| Token Validity           | 3600                                                                                                                 |
| Send Signed Auth Request | true                                                                                                                 |
| Want Messages Signed     | true                                                                                                                 |
| Want Assertions Signed   | true                                                                                                                 |
| Debug Mode               | false                                                                                                                |
| JWT Principal Claims     | \["preferred\_username", "email", "sub"]                                                                             |
| JWT Mapping              | \["email:email", "name:displayName", "firstName:given\_name"]                                                        |
| Admin Principals         | \["[admin@example.com](mailto:admin@example.com)", "[security@example.com](mailto:security@example.com)"]            |
| Principal Domain         | company.com                                                                                                          |
| Enforce Principal Domain | false                                                                                                                |
| SSL/TLS                  | true                                                                                                                 |

### Troubleshooting

If users are automatically logged out and unable to log in again due to a bad authentication configuration, you can reset the security setup using the following command:

```

./bootstrap/openmetadata-ops.sh remove-security-config --force

```

After executing the command, **restart the server**. The authentication values from your YAML or Helm chart will then be reapplied on startup. The following tiles detail how to apply this configuration:

<CardGroup cols={2}>
  <Card title="Docker Security" href="/deployment/docker/security">
    Configure Auth0 SSO to access the UI and APIs.
  </Card>

  <Card title="Bare Metal Security" href="/deployment/bare-metal/security">
    Configure Azure SSO to access the UI and APIs.
  </Card>

  <Card title="Kubernetes Security" href="/deployment/kubernetes/security">
    Configure a custom OIDC SSO to access the UI and APIs.
  </Card>

  <Card title="Google SSO" href="/how-to-guides/sso/google">
    Configure Google SSO to access the UI and APIs.
  </Card>

  <Card title="Okta SSO" href="/how-to-guides/sso/okta">
    Configure Okta SSO to access the UI and APIs.
  </Card>

  <Card title="Amazon Cognito SSO" href="/how-to-guides/sso/amazon-cognito">
    Configure Amazon Cognito SSO to access the UI and APIs.
  </Card>

  <Card title="SAML" href="/how-to-guides/sso/saml">
    Configure SAML SSO to access the UI and APIs.
  </Card>

  <Card title="LDAP" href="/how-to-guides/sso/ldap">
    Configure LDAP SSO to access the UI and APIs.
  </Card>
</CardGroup>
