SAML 2.0 Configuration Example
This section explains how to configure SAML 2.0 providers for Microsoft Azure, Okta and OneLogin, with reference examples for each. For details, see Authentication.
To successfully configure SAML2 authentication in SEI, you must complete the process in three main steps:
- Collect your provider information from the Microsoft Azure, Okta or OneLogin (Client ID, endpoints, scopes, etc.).
- Enter these values into SEI in the Authentication configuration form.
- Map your users so SEI knows which external identity corresponds to each internal username.
Microsoft Azure
Step 1 — Provider information (from Azure AD)
In Azure AD, collect the metadata for your Enterprise Application. This metadata defines how Azure AD issues SAML assertions, including the necessary identifiers and endpoints that SEI will trust during authentication.
| Parameter | Example |
|---|---|
| Federation Metadata URL | (Discovery Endpoint) https://login.microsoftonline.com/c2c50f21-66a7-41b4-9e9b-d401358e19e6/federationmetadata/2007-06/federationmetadata.xml?appid=458ee5eb-e22d-4dd1-a4e5-5d473c79e133 |
| SP Entity ID | (Entity ID) https://yourserver/biwebserver |
| Azure AD Identifier | (Provider Entity ID) https://sts.windows.net/yourentityID/ |
| Provider Login Endpoint | https://login.microsoftonline.com/yourentityID/saml2 |
| Provider Logout Endpoint | https://login.microsoftonline.com/yourentityID/saml2 |
| SAML2 ACS URL |
|
| Logout URL | https://yourserver/Logout/LoggedOut |
| Certificate | SAML2Certificate.cer |
| User Identifier | Claim used to match Azure users with SEI users. Prefer sub or oid for multitenant setups."sub": "bf38b88a-5c16-4f58-bf5a-87ccd8e5ad09" |
Step 2 – Authentication configuration example in SEI
Enter the Azure AD metadata into SEI to establish a secure SAML trust relationship. This configuration allows SEI to accept and validate SAML responses generated by Azure AD during user sign‑in.
| Field | Example |
|---|---|
| Activate | Disabled |
| Description | Sign In With Azure[SAML2] |
| Discovery Endpoint | (Federation Metadata URL) https://login.microsoftonline.com/c2c50f21-66a7-4b4-9e9b-d401358e19e6/federationmetadata/2007-06/federationmetadata.xml?appid=458ee5eb-e22d-4dd1-a4e |
| Entity ID | (SP Entity ID) https://[your_domain]/biwebclient |
| Provider Entity ID | (Azure AD Identifier) https://sts.windows.net/c2c50f21-66a7-4b4-9e9b-d401358e19e6/ |
| Provider Login Endpoint | https://login.microsoftonline.com/c2c50f21-.../saml2 |
| Provider Logout Endpoint | https://login.microsoftonline.com/c2c50f21-.../saml2 |
| Saml2 ACS URL |
|
| Logout URL | http://[your-webclient-domain]:82/Logout/LoggedOut |
| Certificate | SAML2 Certificate.cer |
| User Identifier | Claim used to match Azure users with SEI users. Prefer sub or oid for multitenant setups."sub": "bf38b88a-5c16-4f58-bf5a-87ccd8e5ad09" |
| Force reauthentication | Disabled |
| Allow remember me | Disabled |
Step 3 – Map users
After configuring SAML, map each Azure AD identity to a corresponding SEI user.
| Field | Example |
|---|---|
| Username | ADMIN |
| Name | ADMIN |
admin@companyname.com | |
| User Identifier | "sub": "bf38b88a-5c16-4f58-bf5a-87ccd8e5ad09" |
Okta
Step 1 — Provider information (from Okta)
From the Okta Admin Console, extract your SAML application’s metadata. This includes the information that defines how Okta will authenticate users and issue SAML responses to SEI.
| Parameter | Example |
|---|---|
| Metadata URL | (Discovery Endpoint) https://login.microsoftonline.com/c2c50f21-.../federationmetadata.xml?appid= ... |
| SP Entity ID | (Entity ID)
|
| Okta IdP Identifier | (Provider Entity ID) http://www.okta.com/yourentityID |
| Okta SSO URL | (Provider Login Endpoint) https://dev-40198417.okta.com/app/dev-40198417_saml2_1/yourentityID/sso/saml |
| Provider Logout Endpoint | https://dev-40198417.okta.com/app/dev-40198417_saml2_1/yourentityID/sso/saml |
| SAML2 ACS URL |
|
| Logout URL | https://yourserver/Logout/LoggedOut |
| Certificate | okta.cert |
| User Identifier | Claim used to match users. Prefer sub or oid for multitenant setups."sub": "bf38b88a-5c16-4f58-bf5a-87ccd8e5ad09" |
Step 2 — Authentication configuration example in SEI
Use the Okta metadata to configure SEI’s SAML settings. This step establishes trust between SEI and Okta, enabling SEI to validate SAML assertions generated by your Okta application.
| Field | Example |
|---|---|
| Activate | Disabled |
| Description | Sign In With Okta |
| Discovery Endpoint | (Metadata URL) https://login.microsoftonline.com/c2c50f21-.../federationmetadata.xml?appid= ... |
| Entity ID | (SP Entity ID) https://[your_domain]:82/biwebclient |
| Provider Entity ID | (Okta IdP Identifier) http://www.okta.com/...[your_EntityId] |
| Provider Login Endpoint | (Okta SSO URL) https://dev- <oktaID>.okta.com/app/dev-<oktaID>_saml2/1.../sso/saml |
| Provider Logout Endpoint | https://dev- <oktaID>.okta.com/app/dev-<oktaID>_saml2/1.../slo/saml |
| Saml2 ACS URL |
|
| Logout URL | https://[your_domain]:82/Logout/LoggedOut |
| Certificate | SAML2 Certificate.cer |
| User Identifier | Claim used to match users. Prefer sub or oid for multitenant setups."sub": "bf38b88a-5c16-4f58-bf5a-87ccd8e5ad09" |
| Force reauthentication | Disabled |
| Allow remember me | Disabled |
Step 3 — Map users example
Choose the claim returned by Okta (typically sub, email, or nameid) that will identify users. Map this value to the corresponding SEI user to ensure seamless authentication.
| Field | Example |
|---|---|
| Username | ADMIN |
| Name | ADMIN |
admin@companyname.com | |
| User Identifier | "sub": "bf38b88a-5c16-4f58-bf5a-87ccd8e5ad09" |
OneLogin
Step 1 — Provider information (from OneLogin)
In the OneLogin Admin portal, gather your SAML application's metadata. This includes OneLogin’s SAML configuration details used to authenticate users and send assertions to SEI.
| Parameter | Example |
|---|---|
| Metadata URL | (Discovery Endpoint) https://app.onelogin.com/saml/metadata/cbfbba1c-baf4-4b65-a97c-d2706d631a36 |
| SP Entity ID | (Entity ID) https://yourserver/biwebserver |
| OneLogin Issuer | (Provider Entity ID) https://app.onelogin.com/saml/metadata/yourentityID/ |
| SSO URL | (Provider Login Endpoint) https://your-onelogin-server/trust/saml2/http-redirect/sso/yourentityID/ |
| SLO URL | (Provider Logout Endpoint) https://your-onelogin-server/trust/saml2/http-redirect/slo/yourentityID/ |
| SAML2 ACS URL |
|
| Logout URL | https://yourserver/Logout/LoggedOut |
| Certificate | SAML2Certificate.cer |
| User Identifier | Attribute used to match users. Prefer sub or oid for multitenant setups."sub": "bf38b88a-5c16-4f58-bf5a-87ccd8e5ad09" |
Step 2 — Authentication configuration example in SEI
Enter the OneLogin metadata into SEI to establish a trusted SAML relationship. This enables SEI to validate SAML responses from OneLogin during login.
| Field | Example |
|---|---|
| Activate | Disabled |
| Description | Sign in with OneLogin |
| Discovery Endpoint | (Metadata URL) https://app.onelogin.com/saml/metadata/[attributes-and-entityID] |
| Entity ID | (SP Entity ID) https://yourserver/biwebclient |
| Provider Entity ID | (OneLogin Issuer) https://app.onelogin.com/saml/metadata/yourentityID |
| Provider Login Endpoint | (SSO URL) https://your-onelogin-server/trust/saml2/http-redirect/sso/yourentityID |
| Provider Logout Endpoint | (SLO URL) https://your-onelogin-server/trust/saml2/http-redirect/slo/yourentityID |
| Saml2 ACS URL |
|
| Logout URL | http://[your-server]/Logout/LoggedOut |
| Certificate | SAML2 Certificate.cer |
| User Identifier | Attribute used to match users. Prefer sub or oid for multitenant setups."sub": "bf38b88a-5c16-4f58-bf5a-87ccd8e5ad09" |
| Force reauthentication | Disabled |
| Allow remember me | Disabled |
Step 3 — Map users example
Select the identifying claim OneLogin provides (such as sub, email, uid, or nameid) and map it to SEI users. This ensures that users logging in through OneLogin are matched to their correct accounts.
| Field | Example |
|---|---|
| Username | ADMIN |
| Name | ADMIN |
admin@companyname.com | |
| User Identifier | "sub": "bf38b88a-5c16-4f58-bf5a-87ccd8e5ad09" |