[Security Assertion Markup Language (SAML)](🔗) is an XML standard for exchanging authentication/authorization data between parties, to specify, an identity provider and a service provider. Using the SAML model, Opsgenie acts as the service provider and supports SAML 2.0 based Single Sign-On to authenticate users through different identity providers. You can take a glance at our identity provider partners, the requirements to enable Single Sign-On for authentication and how you can configure and use our Single Sign-On solution, you can refer [here](🔗). You can enable our Single Sign-On solution using any identity provider, even ones that are currently not one of our partners.
## Setup Instructions for SAML 2.0 Based SSO Integration:
_Order of the setup instructions may vary by the identity provider. Please do not hesitate to [contact us](🔗) if you encounter any problem while setting up SSO integration with your identity provider or for any further assistance._
Open [SSO Settings Page](🔗) and switch to SAML segment as identity provider.
If your identity provider needs you to specify SAML Identifier for Opsgenie (It may also be referred as Audience or Target URL), use the value of the field **Identifier**.
Use the value of the field **SAML 2.0 Service URL** as the Consumer URL (It may also be referred as SSO Endpoint or Recipient URL) for your identity provider.
Retrieve Single Sign-On (SSO) Endpoint from your identity provider and paste this URL into **SAML 2.0 Endpoint** field.
If your identity provider supports Single Logout (SLO), retrieve SLO Endpoint from your identity provider and paste this URL into **SLO Endpoint** field. This field is optional.
Export your X.509 certificate, copy its content and paste this certificate value into **X.509 Certificate **field.
Check **Enable Single Sign-on** field and click **Apply SSO Changes**
Now users in the directory of your identity provider can login with Opsgenie via SSO using their directory credentials.
## Opsgenie Endpoints
**SAML Identifier/Audience/Target URL)**: Copy **Identifier** field from from your SSO settings of Opsgenie account.
**Assertion Consumer URL / Opsgenie SSO Endpoint**: `https://app.opsgenie.com/auth/saml?id=<saml_id> ` where <saml_id> is unique per Opsgenie account.
These endpoints can be found on [SSO page](🔗).
## Opsgenie SAML Attributes
Opsgenie uses the following attributes & values while performing an authentication request to your identity provider:
**Version**: `2.0`
**AssertionConsumerServiceURL:** `https://app.opsgenie.com/auth/saml?id=<saml_id> ` (which is the Opsgenie SSO Endpoint)
** Issuer:** `https://app.opsgenie.com/auth/saml` or `https://app.opsgenie.com/auth/saml?id=<saml_id>` (which is the Opsgenie SAML Identifier) See your Opsgenie settings page.
** NameIDPolicy:**
Format: `
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`AllowCreate: `
true`
**ProtocolBinding:** `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST`
## Validations & Enforcements by Opsgenie using SAML
The only supported SAML version is **2.0**
Name ID format is expected to be: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`.
(Name ID which is also e-mail address of the user on your identity provider should be equal to Opsgenie user name of the user.)
An encryption certificate for claims _should not be used. _
## SAMLRequest that Opsgenie Sends to Your IdP
The XML content above is the SAML request that Opsgenie gives to your IdP as Base 64 Encoded, Deflated and URL encoded according to SAMLv2.0 protocol. Your identity provider should be able to process this content.
SSO_ID represents the unique identifier that Opsgenie generates and provides within SSO page. So, the following is an example **AssertionConsumerServiceURL** value: **https://app.opsgenie.com/auth/saml?id=53bd8491-ef30-4d3e-92ed-bec8f09188bc**
## Example SAMLResponse that Opsgenie Receives from Your IdP
USER_LOGIN_E_MAIL_ADDRESS is the login e-mail address (user name) of the authenticating user.
## References
[Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0](🔗)