Users and accounts
/
Frontegg as IdP
/
Use SAML
Last updated

Frontegg as IDP via SAML

Using Frontegg as an Identity Provider (IdP) through SAML lets organizations delegate authentication to a trusted identity provider (IdP), ensuring secure and efficient access. To connect third-party applications to your Frontegg Hosted Login via SAML, follow the steps below to configure your Frontegg environment as an IdP for a third-party service.

Prerequisites

This capability is fully supported via Frontegg Hosted Login. If you are using Frontegg's embedded login, then Social and SSO login methods will not redirect the end user to the 3rd party application out of the box.

Common Use Cases

You may be wondering about common use cases that require configuring Frontegg as a SAML IdP. Some examples include:

  • Support tools (e.g., Zendesk): Enable users to share the same identity with the support tool.
  • Documentation platforms (e.g., readme.io or similar): Allow users to use the same identity credentials with that platform.

In such cases, the flow will resemble the following:


saml

Set Up Frontegg as an IDP via SAML

  1. Go to the Identity Provider section under [ENVIRONMENT] → AuthenticationSSOIdentity ProviderSAML Applications and click on Add New Application:

saml


  1. Register the Service Provider: For example, Zendesk, on Frontegg’s side. Insert the Entity ID and ACS URL in the dedicated fields. Ensure these values are also added to the Hosted login authorized redirect URLs after completing the setup here:

saml

  1. Logout URL (optional): You can optionally add a Logout URL to specify where the user will be redirected after initiating logout from the third-party service.

  2. User Attributes: You can transfer user-related attributes from Frontegg to the Service Provider by selecting from a list of available attributes.

saml

After clicking Next, you will see the SSO endpoint and the Frontegg (IdP) certificate. Enter these details into the appropriate fields in your Service Provider (Zendesk). Note that some providers might not accept public certificates, in which case you can use the SHA-256 fingerprint as an alternative.

saml

Custom Domain

If you have a custom domain set up for an environment, the SSO endpoint will be automatically generated using this domain.

Creating SAML Configuration via API

To create a SAML configuration programmatically, you will first need to authenticate your environment via this endpoint.


curl --location --request POST 'https://api.frontegg.com/oauth/resources/configurations/saml/v1/[URL-ENCODED-ENTITY-ID]' \
--header 'Authorization: Bearer [token]' \
--header 'Content-Type: application/json' \
--data-raw '{
    "acsUrl": "[ACS-URL-FROM-SP]",
    "entityId": "[ENTITY-ID-FROM-SP]",
    "attributes": [
      {"name":"name","value":"name"},
      {"name":"email","value":"email"}
    ] 
}'

The request will return XML metadata to use for the SAML configuration on the service provider configuration:


<EntityDescriptor
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:assertion="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://frontegg.com/saml">
    <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo
                xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>[THE-PUBLIC-CERTIFICATE]</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <ds:KeyInfo
                xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>[THE-PUBLIC-CERTIFICATE]</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="[YOUR-VENDOR-HOST]/oauth/sso/SingleSignOnService"></SingleSignOnService>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[YOUR-VENDOR-HOST]/oauth/sso/SingleSignOnService"></SingleSignOnService>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="[YOUR-VENDOR-HOST]/oauth/sso/SingleLogoutService"></SingleLogoutService>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[YOUR-VENDOR-HOST]/oauth/sso/SingleLogoutService"></SingleLogoutService>
    </IDPSSODescriptor>
</EntityDescriptor>

Some service providers may require inserting Identity Provider Entity ID, which is always http://frontegg.com/saml.