Provider guide

Set up a SAML 2.0 connection

Exchange service-provider and identity-provider metadata, map claims, and validate signed responses.

Identity administrators10 min readUpdated July 17, 2026

Copy the service-provider values

  1. Open Single sign-on and begin a SAML 2.0 connection.
  2. Copy the entity ID and assertion consumer service URL exactly as displayed.
  3. Create a SAML application in the identity provider using those values.

Add identity-provider metadata

  1. Use the provider metadata URL when available so endpoints and signing certificates can be validated together.
  2. Otherwise upload or paste the metadata XML supplied by the identity provider.
  3. Map a stable unique subject identifier and the required email, name, group, and school claims.
  4. Restrict accepted domains and select a safe default role.

Test before enforcement

Confirm the response issuer, audience, destination, timestamps, signature, subject, and required attributes. Rotate expiring signing certificates before the provider removes the previous certificate.