Version

    SAML configuration examples

    Example of SAML configuration without using metadata file

    If your Identity Provider does not provide a SAML Metadata file or you want to manually configure the feature, you will need to configure the following properties:

    security.saml.idp_entity_id
    security.saml.idp_sso_service_url
    security.saml.idp_x509cert

    While not a required property, in order for the Single Logout functionality to work you also need to configure service URL of it using: security.saml.idp_slo_service_url

    # Enable SAML SSO by adding SAML to allowed authentication domains
    security.authentication.allowed_domains=clover,SAML
    # Configure clover server running at http://clover-server:8080/clover as a Service Provider".
    security.saml.sp_entity_id=https://example.com/example-app
    security.saml.sp_assertion_consumer_url=http://clover-server:8080/clover
    # Set Identity Provider ID
    security.saml.idp_entity_id=https://sts.windows.net/{tenantid}/
    # Set the Single Sign-on service URL
    security.saml.idp_sso_service_url=https://login.microsoftonline.com/common/saml2
    # Set the X509 certificates (Base64-encoded DER format)
    # required
    security.saml.idp_x509cert=MIIDBTCCAe2gAw ... SryT2SUk
    # optional
    security.saml.idp_x509cert_multi.0=MIIDBTCCAe2gAw ... SryT2SUk
    security.saml.idp_x509cert_multi.1=MIIC8TCCAdmgAw ... 5432GA==
    # Set the Single Logout service URL
    # optional
    security.saml.idp_slo_service_url=https://login.microsoftonline.com/common/saml2
    # Do not send LogoutResponse back to Azure AD, it does not expect itsecurity.saml.send_logout_response=false
    Example of overriding SAML configuration acquired from metadata file

    The following properties have priority and override the SAML configuration acquired from the metadata file.

    security.saml.idp_entity_id
    security.saml.idp_sso_service_url
    security.saml.idp_x509cert
    security.saml.idp_slo_service_url

    # Enable SAML SSO by adding SAML to allowed authentication domains
    security.authentication.allowed_domains=clover,SAML
    # Configure clover server running at http://clover-server:8080/clover as a Service Provider".
    security.saml.sp_entity_id=https://example.com/clover-local
    security.saml.sp_assertion_consumer_url=http://clover-server:8080/clover
    # Setting metadata URL automatically configures the Identity Provider to be used for SAML SSO
    security.saml.idp_metadata_url=https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml
    # Override the Identity Provider ID
    security.saml.idp_entity_id=https://sts.windows.net/{46-id-example}/
    # Do not send LogoutResponse back to Azure AD, it does not expect it
    security.saml.send_logout_response=false