Creating a SAML2 Identity Provider
Suggest an editPrerequisites
- An existing team in SplitSecure
- Web Companion paired with mobile app
- Knowledge of which service providers will use this IdP
Configure IdP Settings
1 Select Controlling Team
Choose which team will control this Identity Provider:
| Field | Description |
|---|---|
| Team | The team whose members can approve authentication requests |
Note
Only members of the selected team can approve SAML authentication requests made through this IdP.
2 Enter IdP Details
| Field | Description | Example |
|---|---|---|
| Name | A descriptive name for this IdP | “Production SSO” |
| Valid From | When the certificate becomes valid | Today’s date |
| Valid Until | When the certificate expires | 10 years from now (default) |
The validity period determines how long the IdP’s certificate is trusted. Most organizations use a 10-year validity for convenience.
3 Submit for Approval
- Review your settings
- Click Create
- A threshold proposal is created for team approval
Threshold Approval
1 Team Members Approve
Creating an IdP requires approval from team members:
- Team members receive a notification on their mobile devices
- They review the IdP creation details
- They approve or reject the request
Warning
IdP creation cannot be auto-approved. Team members must manually review and approve the creation of new identity providers.
2 Monitor Approval Progress
The roundtrip page shows:
- Which team members have approved
- Which are still pending
- Overall progress toward threshold
Once the required threshold is reached, the IdP is created.
Download Metadata
1 Access IdP Details
After approval:
- Navigate to Secure Accounts → SAML2 Identity Providers
- Click on your newly created IdP
- The details page shows IdP configuration
2 Download SAML Metadata
On the IdP details page:
- Click Download Metadata
- Save the XML file to your computer
This metadata file contains:
| Element | Purpose |
|---|---|
| Entity ID | Unique identifier for your IdP |
| Certificate | Public key for signature verification |
| SSO URLs | Endpoints for SAML requests |
Next Steps
1 Configure Service Providers
Use the downloaded metadata to configure your service providers:
| Service Provider | Integration Guide |
|---|---|
| AWS | AWS SAML Integration |
| Google Cloud | GCP SAML Integration |
| Google Workspace | Google Workspace Integration |
| Microsoft Entra ID | Entra ID Integration |
| Okta | Okta SAML Integration |
| Cloudflare | Cloudflare Integration |
| Oracle Cloud | Oracle Cloud Integration |
| IBM Cloud | IBM Cloud Integration |
| PagerDuty | PagerDuty Integration |
| Kandji | Kandji Integration |
| Rapid7 | Rapid7 Integration |
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| “No team selected” error | Team not chosen | Select a team from the dropdown |
| Approval stuck at “Waiting” | Team members haven’t approved | Contact team members to approve on their devices |
| Metadata download fails | IdP not yet created | Wait for threshold approval to complete |
| Service provider rejects metadata | Metadata format issue | Ensure metadata is downloaded as XML, not HTML |