ApplicationsFederated Apps

SAML Applications

Configure a Federated Application to use Descope as a SAML 2.0 Identity Provider. Your service provider redirects users to Descope for authentication, Descope runs your configured flow, and returns a signed SAML assertion. Standard SAML 2.0 protocol throughout — no custom auth logic required.

Note

Configuring additional federated applications (beyond the default) is a Pro+ feature.

Application (SP)Browser / UserDescope (IdP)access protected resourceredirect with SAMLRequestSAMLRequestauth flow runsPOST SAMLResponse to ACS URLSAMLResponsevalidate assertionsession established

The most common flow. The user tries to access a protected resource and the SP redirects them to Descope to authenticate.

  • Configure your SP with Descope's SSO URL and Entity ID from the Identity Provider section.
  • Descope runs your configured flow, then POSTs a signed SAMLResponse to your SP's ACS URL.
  • Your SP validates the assertion signature using Descope's public certificate.

See Service Provider Configuration for setup details.

1 / 3

For a full reference of all SAML application settings, see the Configuration Reference below.

Creating a SAML Application

Navigate to Federated Apps and click + Application in the top right. Choose a template from the Application Library or create a Generic SAML Application. Provide an Application Name, and optionally an Application ID and Description.

Create a SAML Application within Descope

Configuring a SAML Application

Once created, configure the application from its settings page. The two sides you need to configure are the Identity Provider (Descope's details, which you give to your SP) and the Service Provider (your SP's details, which you give to Descope).

Identity Provider Configuration

Configure your SP with Descope's details. You can use the metadata URL or enter fields manually.

https://api.descope.com/v1/auth/saml/idp/metadata?projectId=xxxxx&ssoAppId=yyyy

If your SP does not support fetching metadata from a URL, download the XML file and upload it manually.

Option 2: Manual Configuration

Configure the SP manually using the following values from the Identity Provider section:

  • SSO URL
  • Entity ID
  • Public Certificate

SSO URL, Entity ID

Note

If your SP requires fingerprint hashes (SHA1 or SHA256) instead of a certificate file, Descope provides these for download as well.

You may also upload a custom certificate to replace the default Descope certificate.

Fingerprint hashes and public certificate

Service Provider Configuration

Configure Descope with your SP's details. You can supply a metadata URL or enter fields manually.

Option 1: Metadata URL

If your SP provides a metadata URL, Descope extracts the ACS URLs, Entity ID, and certificates automatically.

Download Metadata XML

Option 2: Manual Configuration

Provide the following values from your SP:

  • ACS URL
  • Entity ID (supports wildcards and regex)
  • Public Certificate

ACS URL, Entity ID

Mandatory SP configuration fields

Note

Regex expressions are supported in the Entity ID field to match dynamic or multi-subdomain configurations.

Advanced Settings

Allowed ACS Callback URLs

Specify additional ACS URLs to support logins from multiple domains or environments. Supports exact URLs and regex patterns.

Certificate and Allowed ACS URLs

Tip

Use regex for broader ACS URL coverage across staging, QA, and production environments.

SAML Subject and Name ID

Many SPs require the user's email as the NameID subject. You can choose which user attribute to use: User ID, Email, Phone, or any custom attribute. When using a custom attribute, set the NameID format to unspecified for maximum compatibility.

Supported NameID formats:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Creating a custom attribute in Descope

Setting custom attribute as NameID in SAML settings

Default Relay State

Determines where users are redirected after signing in via IdP-initiated SSO. Can be customized per application instance or user group.

Error Redirect URL

A hosted error page for end users, shown when a timeout or misconfiguration occurs during SAML login.

Force Authentication

When enabled, Descope runs the authentication flow even if the user is already signed in — equivalent to the SP sending prompt=login.

Force authentication checkbox

SSO Mapping

User Attribute Mapping

Map Descope user attributes to the attribute names your SP expects in the SAML assertion.

Descope user attributeUser attribute name
Descope user emailemail
Descope display namename
Descope phone numberphone

Configuring user attribute mapping for a SAML Application within Descope

Group Mapping

Map Descope roles to the group attribute your SP expects.

Descope RolesGroup attribute name
ManagerManager

Configuring group mapping for a SAML Application within Descope

Login Hints

Descope supports passing login hints via query parameters when initiating SAML authentication. Useful when user identity is already known before the flow begins.

Supported parameters (all behave identically):

  • username
  • login_hint
  • loginHint
  • LoginHint (used by Okta CIS)

Append to any SP-initiated or IdP-initiated URL:

https://api.descope.com/v1/auth/saml/idp/initiate?app=P2NvMv9S3-SA2hNtkVFXq3X3X&login_hint=user@example.com

This populates form.externalId inside the Descope flow, where it can be used in any action or condition.

Single Logout (SLO)

Descope supports a lightweight SLO that terminates the Descope session and redirects users to a configured logout URL. It does not propagate logout to other SPs connected to the same project.

To configure:

  1. Set a Logout URL in your SAML application — this is where users land after logout.
  2. Copy the IdP Logout URL from the console and configure it as the logout endpoint in your SP.
https://api.descope.com/v1/auth/idp/sso/logout?app=<Descope Project ID>-<Descope Application ID>

SAML Single Logout Configuration

IdP-Initiated SSO

Every SAML application has an IdP-initiated URL under the Identity Provider settings:

https://api.descope.com/v1/auth/saml/idp/initiate?app=P2NvMv9S3-SA2hNtkVFXq3X3X

Users navigate to this URL, authenticate with Descope, and are posted directly to the SP's ACS URL — no SP redirect required.

Query Parameters

ParameterDescription
tenantDirects users to authenticate with a specific tenant. Accepts tenant name, tenant ID, or email domain.
login_hint / loginHint / usernamePre-fills user identity in the flow.
relay_stateDetermines where users are redirected after login at the SP.

Example with tenant and login hint:

https://api.descope.com/v1/auth/saml/idp/initiate?app=P2NvMv9S3-SA2hNtkVFXq3X3X&tenant=corp&login_hint=user@example.com

Configuration Reference

SettingSectionDescription
Application NameApplication DetailsDisplay name of the application. Can be updated.
Application IDApplication DetailsUnique identifier set at creation. Cannot be changed. Available in flows to render application-specific logic.
DescriptionApplication DetailsOptional context for the application.
Application IconApplication DetailsCustom icon for the application.
Flow Hosting URLSSO ConfigurationURL of the Descope flow users are redirected to when signing in.
Descope Metadata (XML)SSO Configuration — Identity ProviderMetadata URL for your Descope SAML application.
Download Metadata (XML)SSO Configuration — Identity ProviderDownloads the metadata XML for manual SP configuration.
Descope Entity IDSSO Configuration — Identity ProviderUnique identifier for the Descope SAML application.
SSO URLSSO Configuration — Identity ProviderThe SSO URL to configure in your SP.
IdP-Initiated URLSSO Configuration — Identity ProviderEntry point for IdP-initiated SSO.
Descope CertificateSSO Configuration — Identity ProviderDownloads the public certificate for assertion validation.
Metadata URL (SP)SSO Configuration — Service ProviderSP metadata URL for dynamic configuration.
Manual SP fieldsSSO Configuration — Service ProviderACS URL, Entity ID (regex supported), and SP certificate.
Allowed ACS Callback URLsSSO Configuration — Service Provider — AdvancedAdditional ACS URLs for multi-domain or multi-environment setups.
SAML Assertion Subject TypeSSO Configuration — Service Provider — AdvancedUser attribute to use as the SAML subject (User ID, Email, Phone, or custom).
SAML Subject NameID FormatSSO Configuration — Service Provider — AdvancedNameID format sent to the SP.
Default Relay StateSSO Configuration — Service Provider — AdvancedPost-login redirect destination for IdP-initiated SSO.
Error Redirect URLSSO Configuration — Service Provider — AdvancedCustom error page URL shown on login failures.
Logout URLSSO Configuration — Service Provider — AdvancedDestination after SLO completes.
Force AuthenticationSSO Configuration — Service Provider — AdvancedForces the flow to run regardless of existing session state.
Descope user attributeSSO Mapping — User Attribute MappingDescope attribute to map to an SP attribute name.
User name attributeSSO Mapping — User Attribute MappingSP attribute name to receive the mapped Descope value.
Descope RolesSSO Mapping — Group MappingDescope roles to map to a SAML group attribute.
Group attribute nameSSO Mapping — Group MappingSAML group attribute name to receive the mapped roles.
Was this helpful?

Using OIDC Endpoints

Get started with Descope's OIDC endpoints using Descope as an OIDC provider.

Managing with SDKs

Learn how to manage Descope Applications with our Management SDK.

On this page

SAML ApplicationsCreating a SAML ApplicationConfiguring a SAML ApplicationIdentity Provider ConfigurationOption 1: Metadata URL (recommended)Option 2: Manual ConfigurationService Provider ConfigurationOption 1: Metadata URLOption 2: Manual ConfigurationAdvanced SettingsAllowed ACS Callback URLsSAML Subject and Name IDDefault Relay StateError Redirect URLForce AuthenticationSSO MappingUser Attribute MappingGroup MappingLogin HintsSingle Logout (SLO)IdP-Initiated SSOQuery ParametersConfiguration Reference