# Create SAML Provider

{% hint style="info" %}
You can only configure single sign-on (SSO) in an on-premises Adaptiva Server. This does not apply to our SaaS solution.
{% endhint %}

SAML (Security Assertion Markup Language) on the OneSite platform allows you to configure a SAML provider in order for your users to login via SSO.

Below are some SAML Provider specific guides:

* [Microsoft Entra](https://docs.adaptiva.com/platform-guide/configure-sso/configure-sso-entra#enable-single-sign-on-using-saml)
* [PingIdentity](https://docs.adaptiva.com/platform-guide/security/configure-sso/configure-sso-pingidentity)

## Create the SAML Provider in the Admin Portal

1. Log in to the Admin Portal as a Super Admin.
2. Click the **gear icon > Settings > Security > SAML Providers**.
3. On the SAML Providers page, click **+ New**.
4. Enter a name and description. You can also add a logo (.png).
5. Under **SAML Settings**, configure the following values:
   * **Issuer ID** - The unique name this provider puts in it's `saml:Issuer` element. Used to look up the signing key when receiving a response.
   * **Authentication Request URI** - The URI to send a `saml:AuthnRequest`. If not set, can not request login using `saml:AuthnRequest`, but can still receive responses from the service provider.
   * **Attribute Consuming Service Index** - The index given to the Adaptiva client if registered with the provider. If not set, the Adaptiva Server will automatically set a `AsertionConsumerServiceURL` attribute any `saml:AuthnRequest` it builds.
   * **Name ID Format** - The **NameID** format to request from the provider. If blank, it is equivalent to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`. At construction, it will be set to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`.
   * **Public Key Info** - The signing key in PEM format used to verify the signature of a SAML response.
   * **Audience** - The audience the server will expect to be declared in the SAML response. If not set, the server's auto-detected URL will be used.
6. Click **Save**.

### Create the Administrator account

After creating the SAML Provider, register users as Administrators using the following steps:

1. Select **Settings > Security > Administrators**.
2. Click **+New** and create an Administrator account.
3. From the Admin Type dropdown, select **SAML**.
4. Enter the email address for the user you are creating.

   The system uses this address to send an email invitation to the user, and to match the user with their IAM service identity. This email address must have been granted permissions in the IAM’s SAML application.
5. Click the **Identity Provider** drop-down and select the provider you created earlier.
6. In the **Subject ID** field, enter the same email address used above.
7. Under **Administrator Details**, enter the first and last name of the user and add any additional information needed.
8. Under Direct Roles, click **Browse**. Select the appropriate role(s) for the administrator and click **OK**.
9. Select **Save**.

### Test the Login

1. Ask the user to test the login using SAML.
2. Navigate to the Admin Portal. The login screen now lists the new SAML Provider.
3. Select the new provider and log in to the portal using your IAM credentials.

{% hint style="info" %}
You may see the error `Error Message = Invalid Audience: https://ws25Tester:443, Error Code = 13 (0xd), Source Object = null propertyName[null]` In this example the server FQDN has a capital `T` in the server FQDN Entity ID. Make sure the Audience entry matches the case returned in the error.
{% endhint %}