Generic SAML

This guide explains the settings you’d need to use to configure SAML with your Identity Provider. Once this is set up you should get an XML metadata file that should then be configured using the Ory Polis API (or calling the API controller connection method if using Ory Polis NPM).

Please do not add a trailing slash at the end of the URLs.

Create them exactly as shown below:

Assertion consumer service URL / Single Sign-On URL / Destination URL: http://localhost:5225/api/oauth/saml
Entity ID / Identifier / Audience URI / Audience Restriction: https://saml.ory.sh
Response: Signed
Assertion Signature: Signed
Signature Algorithm: RSA-SHA256
Assertion Encryption: Unencrypted

The deployed Ory Polis service has a Service Provider (SP) endpoint that exposes the above metadata and the same can be

accessed at <jackson_endpoint>/.well-known/saml-configuration. :::

SAML profile/claims/attributes mapping

As outlined in the guide above we try and support 4 attributes in the SAML claims - id, email, firstName, lastName. This is how the common SAML attributes map over for most providers, but some providers have custom mappings. Please refer to the documentation on Identity Provider to understand the exact mapping.

SAML Attribute	Ory Polis mapping
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`	id
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`	email
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`	firstName
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`	lastName

SAML profile/claims/attributes mapping​

Ory Network

SAML profile/claims/attributes mapping