Frontegg as IDP for via SAML
Using Frontegg as IdP through SAML lets organizations delegate authentication to a trusted identity provider (IdP), ensuring secure and efficient access. To connect third-party applications to your Frontegg Hosted Login via SAML, follow the steps below to configure your Frontegg environment as an IdP for a third-party service.
Prerequisites
Prerequisites
This capability is fully supported via Frontegg Hosted Login. If you are using Frontegg's embedded Login, then Social and SSO login methods will not redirect the end user to the 3rd party application out of the box.
Common use cases
You may be wondering about common use cases requiring the configuration of Frontegg as SAML IdP. Some examples may include:
- Add a support tool (such as Zendesk) as your third-party application and enable users to share the same identity with that support tool.
- Adding support for documentation platforms (e.g., readme.io or similar) and allowing your users to use the same identity credentials with that platform.
In such cases, the flow will resemble the following:
Set up Frontegg as IDP via SAML
- Go to the Identity Provider section under [ENVIRONMENT] → Authentication → SSO → Identity Provider → Saml applications and click on Add new application:
Register the service provider (in our example, Zendesk) on Frontegg's side and insert the Entity ID
and ACS URL
in the dedicated fields. Make sure to add these values also to [Hosted login authorized redirect URLs] after completing the setup here:
Logout URL - you can optionally add a Logout URL to choose to where the user will be redirected after initiating logout from the 3rd party service.
User attributes - you also have the option to transfer user-related attributes from Frontegg to the Service Provider by choosing from a list of available attributes.
After clicking Next, you will see the SSO endpoint and the Frontegg (IdP) certificate. Enter these details into the appropriate fields in your Service Provider (Zendesk). Note that some providers might not accept public certificates, in which case you can use the SHA-256 fingerprint as an alternative.
Custom domain
Custom domain
If you have a custom domain set up for an environment, the SSO endpoint will be automatically generated using this domain.
Creating SAML configuration via API
To create a SAML configuration programmatically, you will first need to authenticate your environment, via this endpoint.
curl --location --request POST 'https://api.frontegg.com/oauth/resources/configurations/saml/v1/[URL-ENCODED-ENTITY-ID]' \ --header 'Authorization: Bearer [token]' \ --header 'Content-Type: application/json' \ --data-raw '{ "acsUrl": "[ACS-URL-FROM-SP]", "entityId": "[ENTITY-ID-FROM-SP]", "attributes": [ {"name":"name","value":"name"}, {"name":"email","value":"email"} ] }'
The request will return XML metadata to use for the SAML configuration on the service provider configuration
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:assertion="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://frontegg.com/saml"> <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>[THE-PUBLIC-CERTIFICATE]</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>[THE-PUBLIC-CERTIFICATE]</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="[YOUR-VENDOR-HOST]/oauth/sso/SingleSignOnService"></SingleSignOnService> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[YOUR-VENDOR-HOST]/oauth/sso/SingleSignOnService"></SingleSignOnService> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="[YOUR-VENDOR-HOST]/oauth/sso/SingleLogoutService"></SingleLogoutService> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[YOUR-VENDOR-HOST]/oauth/sso/SingleLogoutService"></SingleLogoutService> </IDPSSODescriptor> </EntityDescriptor>
Some service providers may require inserting Identity Provider Entity ID
, this is always - http://frontegg.com/saml
.