The SAML SSO card under Application → Authentication lets enterprise customers sign in through their own identity provider — anything that speaks SAML 2.0. Authaz acts as the Service Provider (SP); the customer's IdP issues the assertion.
Use it in your app. Once a SAML connection is configured, users at that domain are routed to their IdP automatically — your app code doesn't change. The standard sign-in flow (Next.js · React · Hono · cURL) returns the same OAuth tokens regardless of how the user authenticated.
Dashboard → Application → Authentication → SAML SSO. The list page shows every connection; click one to edit its metadata, attribute mapping, and signing certs.
User clicks the application's SAML button on Authaz Sign-In (or hits a tenant-specific subdomain that auto-routes to the SP).
Authaz redirects the browser to the IdP's SSO URL with an AuthnRequest.
User authenticates at the IdP, which posts a signed AuthnResponse back to Authaz's ACS URL.
Authaz validates the signature, extracts the user's email and attributes, creates or finds the user, and signs them in.
From the application's perspective it's the same as any other login — the user lands back with an authorization code, your backend exchanges it for tokens.
The connection is now usable. The next user who hits SAML for this connection will be redirected to the IdP, authenticate, and come back authenticated.
Custom attributes (like department above) are written to the user's metadata object — you can then read them from the access token's user_metadata claim.
Most enterprise scenarios are: each tenant has one IdP. Set tenantId on the connection and Authaz will scope it.
Authaz Sign-In auto-routes the user to the right connection based on their email domain. Set domains on the connection:
{ "domains": ["acme.com", "acme.io"]}
Now, anyone signing in with an @acme.com address is sent through Acme's IdP automatically. Other domains either fall back to other authentication methods or, if the application is SAML-only, get a "no SSO connection found" error.
When a user logs in via SAML for the first time, Authaz creates the user record on the fly using the email from the assertion. They're assigned the connection's defaultRoles:
{ "defaultRoles": ["role_member"]}
For shared-pool multi-tenancy, the user is also added to the connection's tenant on first sign-in.
