Setting Up Single Sign-On with SAML Authentication

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication data between different security domains.
With SAML authentication enabled, users can single sign-on (SSO) into by using user accounts registered with your corporate identity provider (IdP). supports SAML 2.0 and acts as a service provider (SP).

This section describes the flow of SSO with SAML authentication and how to configure

Flow of SSO with SAML Authentication

With SAML authentication enabled, uses SP-initiated SSO. The following bindings are used for the SAML request and SAML response:

  • SAML request: HTTP Redirect Binding
  • SAML response: HTTP POST Binding

The following illustrates steps for to authenticate a user:

Figure to explain the flow of SSO using SAML authentication
  1. The user accesses
  2. generates an SAML request.
  3. The user receives the SAML request from the SP.
  4. The IdP authenticates the user.
  5. The IdP generates an SAML response.
  6. The user receives the SAML response from the IdP.
  7. receives and verifies the SAML response.
  8. If the SAML response is OK, the user has completed the login to

Connecting with the Identity Provider Through SAML Authentication

To connect with the IdP through SAML authentication, you must configure both the IdP and appropriately.

Registering with the IdP

Register the following information with the IdP so that can act as an SP:

  • Endpoint URL of

  • Entity ID
    Do not add a slash mark (/) at the end of the URL.

  • Element to identify a user

  • To register as an SP, you can also use a metadata file.
    • How to get a metadata file
      Go to the "Login Security" screen of "Users & System Administration", select the "Enable SAML authentication" check box, and then click "Download Service Provider Metadata".

Configuring SAML authentication in

On, enable SAML authentication and set the information of the IdP.

  1. On the "Users & System Administration" page, click "Login" under "Security".
  2. Select "Enable SAML authentication".
  3. Fill in the fields as needed.
    • SSO endpoint URL of the Identity Provider (HTTP-Redirect)
      Specify the destination of SAML requests.
    • URL redirected to, after logout from
      Specify the URL of a page from the IdP that appears after users log out from
    • Public key certificate used by the Identity Provider when signing
      Attach a public key certificate generated with either the RSA or DSA algorithm. Only an X.509 certificate is acceptable.
  4. Click "Save".
  5. Confirm the login names of users who will log in through SAML authentication.
    Ensure that the login names of users correspond to values associated with NameID.
  6. Confirm that, as a user, you can single sign-on into through SAML authentication.
    Your configuration is complete if you can perform the following actions successfully:
    • When you access, you are authenticated by the IdP successfully and directed to a page that appears for logged-in users.
    • After you have logged in, you can log out successfully by clicking the user name at the upper right and then "Logout".
      If you are on a kintone page, click Image and then click "Logout".