SAML SSO Integration Guide

SAML SSO Integration Guide

Info
This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP).
Multi-Pass acts as the Identity Provider (IdP) in this federation model.
Multi-Pass is working on SCIM support to enable automated user and group provisioning.
Warning
Make sure you have:
  1. A Multi-Pass Dashboard account with administrative privileges.
  2. Identified the correct tenant if your dashboard manages multiple tenants.
    1. In this guide, we refer to your tenant as <TENANT_NAME>.
  3. Deployment admin access for that tenant.

Configure the Service Provider


Create a SAML profile in your SP’s admin portal using the following parameters from Multi-Pass:

Download the X.509 Certificate

To obtain the signing certificate:
  1. Open the SAML metadata descriptor in your browser. 
    1. https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/descriptor
  2. Locate the <ds:X509Certificate> tag.
  3. Open a text editor and paste:
-----BEGIN CERTIFICATE-----
[Paste the certificate from the XML]
-----END CERTIFICATE-----
  1. Save it as a .pem or .txt file if required by your SP.
Warning
All elements in the URLs (like <TENANT_NAME>) are case sensitive. Match your configuration exactly.

What Each Field Means

IdP Entity ID

  1. Unique identifier of Multi-Pass as IdP.
  2. Used by the SP to verify the source of the SAML assertions.
  3. Also called: IdP Issuer URI, Issuer ID, SAML Issuer URL, Identity Provider Identifier, IDP Entity ID, Identity Provider Issuer

Sign-In URL

  1. Where the user is redirected to authenticate.
  2. Also called: IDP SSO URL, IDP Sign-in URL, ID Provider Login URL, IDP ACS URL, Sign-in Page URL, Sign in Url, SAML Login Endpoint, SAML Sign-in URL, SAML SSO URL, SAML 2.0 URL, SSO Login URL, SSO Endpoint, Sign-in Endpoint, Login URL, Sign on URL, Identity Provider single sign-on URL, Remote Login URL

Sign-Out URL

  1. Where the user is sent to terminate their session.
  2. Also called: IdP Single Sign-On URL, Sign-out Endpoint, Sign out Url, IDP Single logout service URL, ID Provider Single Logout URL

Change Password URL

  1. A redirect path used for password update/reset.
Notes
Multi-Pass is passwordless, but some SPs require a placeholder.

Signing Certificate

  1. Verifies the integrity of the SAML assertion.
  2. Signature method: RSA-SHA256
  3. Digest method: SHA256
  4. Also called : x509 Certificate, Signing Certificate, Key x509 Certificate, Certificate Fingerprint (requires only the footprint), SAML Fingerprint, IdP Signature Certificate

Configure Multi-Pass (IdP)


Multi-Pass offers two configuration interfaces:
  1. The Legacy Advanced Console
  2. The New Recommended Dashboard interface
You will need to collect the following from your Service Provider:

SP DetailMeaning
Entity IDUnique identifier of the Service Provider (e.g., Audience URI)
ACS URLEndpoint where SAML responses are posted (Assertion Consumer Service URL)
Relay State (optional)Destination URL after successful login (e.g., user dashboard)
Info
Terminology may vary depending on the SP:
Entity ID = SP Entity ID, Audience
ACS URL = Assertion Consumer Service URL
Idea
Best Practices & Notes: 
  1. Ensure user emails in the SP match those in Multi-Pass.
  2. Users migrated to SSO must log in via Multi-Pass only.
  3. After configuration, test authentication flows using non-critical accounts.
  4. Check if your SP requires signing AuthnRequests or enabling SLO (Single Logout).

Configure a SAML Client in Multi-Pass (Legacy Advanced Console)


Info
This guide explains how to configure a new SAML client in the Multi-Pass Advanced Console and optionally add user attributes to be included in SAML responses.

Access the Advanced Console

  1. Go to Multi-Pass dashboard
  2. Select the tenant you want to configure.
  3. Click on Advanced Console from the left menu.
  4. In the menu, click on Clients.
  5. Click on Create Client.

Create the Client

Notes
Leave all other settings as default unless your SP requires specific values.
  1. Fill in the following settings:
FieldValue
Client TypeSAML
Client ID<Entity URL> from your Service Provider
NameService Provider Name (e.g. halopsa)
  1. Click Save

Configure SAML Settings

Go back into the newly created client and complete the configuration under each tab.
Settings Tab

FieldValue
Valid Redirect URIs<ACS URL> from your SP
IDP-Initiated SSO URL NameSP name (lowercase, no spaces)
Home URLhttps://ca.auth.kzero.com/<TENANT_NAME>/protocol/saml/clients/<SSO_Name>
Relay StateOptional
Name ID Formatemail
Force Name ID FormatON
Sign DocumentsOFF
Sign AssertionsON

Keys Tab
FieldValue
Client Signature RequiredOFF

Advanced Tab
FieldValue
Assertion Consumer Service POST Binding URL<ACS URL from your SP>
  1. Click Save when done

Add User Attributes (Optional)

Some Service Providers may require additional user attributes in the SAML response. These are typically mapped using User Property mappers.
To add user attributes:
  1. In the left menu, go to Clients.
  2. Select your newly created client.
  3. Navigate to the Client Scopes tab.
  4. Select the scope ending in -dedicated (e.g., halopsa-dedicated).
  5. Click on Configure a new mapper > User Property.
  6. Choose one of the following User Properties:
    1. username – Username of the user
    2. firstName – First name (given name)
    3. lastName – Last name (surname)
    4. email – Email address
  7. Enter a SAML Attribute Name (as expected by the SP).
  8. Click Save.
Repeat the process for each required user attribute. Check your Service Provider’s documentation for required SAML attributes. Additional user attributes are included in thesaml:AttributeStatement element within the SAML response. Each user attribute isrepresented as a separate saml:Attribute entry.
Example : 
<saml:Attribute FriendlyName="UserAttributeFriendlyName"
Name="UserAttributeSAMLAttributeName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
        username
    </saml:AttributeValue>
</saml:Attribute>

Understanding the SAML Response from Multi-Pass

When a user authenticates successfully, Multi-Pass sends a SAML response to the Service Provider (SP).
This SAML response is an XML document that follows the SAML 2.0 protocol standards.

Key Sections in a SAML Response :
  1. saml:Subject
    1. Identifies the user that the SAML assertion refers to.
    2. Critical for the SP to know who is authenticated.
    3. saml:NameID / The user's unique identifier (e.g., username or email address). The format can vary: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress or others.
  2. saml:AttributeStatement
    1. Provides additional metadata about the user.
    2. Typically contains:
      1. Email address
      2. User roles
      3. Department
      4. Any other custom attributes needed by the SP for authorization or user personalization.
  3. dsig:Signature
    1. A digital signature included in the assertion or parts of the SAML message.
    2. Ensures:
      1. Integrity – Confirms that the assertion wasn't modified during transit.
      2. Authentication – Confirms the message comes from a trusted Identity Provider (IdP).
      3. Non-repudiation – Prevents the sender from denying the message if the private key is secure.
Example: SAML Response Template:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    Destination="SP ACS URL">
    <saml:Issuer>https://ca.auth.kzero.com/realms/TENANT_ID</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:Issuer>https://ca.auth.kzero.com/realms/kzero</saml:Issuer>
        <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        </dsig:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                email@email.com
            </saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData Recipient="SP ACS URL" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions>
            ...
        </saml:Conditions>
        <saml:AuthnStatement>
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="Role"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
                    role-name
                </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>
Notes
Destination in the response must match the ACS URL configured in the SP.
The Signature ensures that the message has not been tampered with and is issued by the expected Identity Provider.
Attributes inside AttributeStatement must match what the SP expects for successful authorization.

    • Related Articles

    • Hudu - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Hudu using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • FortiAuthenticator - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for FortiAuthenticator using MPAS. SSO simplifies user authentication by allowing access to ...

    • Addigy - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Addigy using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Auvik - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Auvik using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Nextcloud - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Nextcloud using MPAS. SSO simplifies user authentication by allowing access to multiple ...