How To: Set up SAML 2.0 Single Sign On

Oomnitza supports Security Assertion Markup Language (SAML) 2.0 for Single Sign On (SSO).

Before you set up SAML

The information that you provide to create an SSO certificate depends on your identity provider (IdP).

You need:

  • Your SSO URL
  • Your certificate


The SSO URL of the identity provider (IdP).

Information for configuring IdP
The service provider (SP) URL is https://{instance-name} and the endpoint URL is https://{instance-name}


Unless you want to encrypt the SAML assertion, select Upload Certificate.  

If you want to encrypt the SAML assertion you must upload the certificate, upload the SP (Service Provider) certificate with a public key, and upload the SP private key.

Active Directory Federation Services (ADFS) has the following types of X.509 certificates:

  • Service communication
  • Token decrypting
  • Token signing

For ADFS, you must select the token-signing certificate

Just-in-Time (JIT) Provisioning

JIT provisioning is used to enable users to create accounts in new applications when they log in for the first time.

When you select JIT provisioning, you must provide values for the following fields:

  • Default role
  • Name ID

Default role

Select a role with sufficient privileges.

Email address

Oomnitza supports two types of name ID policies:

  • Email Address such as
  • Unspecified, which means that the Name ID can be in any format such as myname.

Unspecified name IDs
Check with your IdP as some IdPs don't allow unspecified name IDs.

Set up SAML

To use SAML for SSO, complete these steps:

  1. Log into Oomnitza.
  2. Click Settings > Integrations.
  3. Scroll down to the SSO section.
  4. Click the SSO integration tile that you want to use, such as SAML.
  5. Click the CONNECT tab.
  6. Enter the SSO URL.
  7. Choose one of the following options:
    1. Upload certificate. You must complete this action.
    2. Upload the certificate, the SP certificate with public key, and the SP certificate with private key. You complete these actions if you want to encrypt the assertion.
  8. Select SSO, or JIT Provisioning, or both.
  9. If you select JIT Provisioning, you must select a default role and enter a value in the Name Identifier field. 

You can use the  Validate SAML Response tool to validate SAML Responses, its signatures, and its data.

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk