SAML Protocol Configuration Options

The following options are available when setting up an identity provider that uses the SAML 2.0 protocol.

  • Allow identity provider initiated single sign on: When enabled, users authenticate once in their identity provider and can log in to Immuta.

  • Allow identity provider initiated single logout: When enabled, users can log out of Immuta or their identity provider and simultaneously log out of other applications. Additional configuration settings will appear when this checkbox is selected:

    • Logout URL: The URL of your single sign on application that will be redirected to after you log out of Immuta, as some identity providers differentiate between the logout and authorization URLs.

    • SLO binding URL: The URL Immuta displays that you can add to your identity provider to specify where to send requests or responses to Immuta's SLO requests.

    • Encryption private key: An optional private key to encrypt requests.

  • Decryption private key: The private key for decrypting attribute assertions from the identity provider.

  • Display name: The internal ID of the identity manager in Immuta. This setting cannot be changed once the configuration is saved.

  • Entry point: The URL of your single sign on application that the Immuta login page will redirect to.

  • External groups and attributes endpoint: A REST endpoint that Immuta will use to retrieve a user's groups and attributes.

  • Issuer: The URL of the identity provider that issues assertions for authentication.

  • Migrate users: Migrate users from a previously configured identity provider to the current identity provider.

  • SCIM support: When enabled, your identity provider automatically creates new users in Immuta and updates existing user accounts, whether or not users log in to Immuta. When you click this checkbox, Immuta generates a SCIM API key.

  • Signing certificate: Your identity provider's public signing certificate.

  • Sync attributes from SAML to Immuta: Allows attributes added in your identity provider to be synced with Immuta.

    • Attribute delimiter: The character used to split values in a string of attributes. After enabling sync attributes, providing delimiters for attributes is required.

    • Attribute prefix: The prefix used for attribute keys.

  • Sync groups from SAML to Immuta: Allows groups added in your identity provider to be synced with Immuta.

  • Group attribute: The attribute that contains the user's group. Enable sync groups from SAML to Immuta to make this option available.

  • User ID attribute: The attribute that contains the user's username.