SAML Applications

When configuring a SAML Application within Descope, Descope becomes the Identity Provider for your users. This allows you to use Descope as your unified identity storage for your users across multiple applications. This guide covers how to create a SAML Application within Descope and integrate with your service provider.

Note: Configuring a Custom Applications is an enterprise-tier feature.

Creating a SAML Application

Within Descope, navigate to Applications and click the + Application at the top right.When creating your application, you must provide it with an Application Name, and optionally provide an Application ID and Description.

Create a SAML Application within Descope.

Configure the SAML Application

Once the SAML application has been created within the console, you can further configure the application. Below you can find the available configurations for SAML Applications within Descope.

Configuring a SAML Application within Descope.

All Settings

Setting	Section title in Console	Details
Application Name	Application Details	This is the chosen name of your application, this can be updated.
Application ID	Application Details	This is the ID of your application, this can be chosen during application creation, or is automatically populated if not provided. This can not be updated. Also, it can be used in the flow to render unique logic depending on the Application
Description	Application Details	This is the chosen description of your application, this can be updated.
Application Icon	Application Details	By clicking the edit button on the icon, you can provide your own icon for your SAML Application.
Flow Hosting URL	SSO Configuration (Identity Provider)	This is the URL of the flow that the user will be redirected to when signing in with Descope as a SAML provider.
Descope XML URL	SSO Configuration (Identity Provider)	This is the metadata URL of your Descope SAML Application.
Download XML	SSO Configuration (Identity Provider)	Clicking this allows you to download the metadata of your Descope SAML Application.
Download public certificate	SSO Configuration (Identity Provider)	Clicking this allows you to download the public certificate for your Descope SAML Application.
Descope Entity ID	SSO Configuration (Identity Provider)	This is the unique identifier of your Descope SAML Application.
SSO URL	SSO Configuration (Identity Provider)	This is the SSO URL you would configure within your Service Provider to link to your Descope SAML Application.
IdP-Initiated URL	SSO Configuration (Identity Provider)	This is the IdP-initiated SSO url that you can use to sign in with Descope into your SAML applications, starting at Descope instead of the application.
Retrieve the connection details dynamically using a metadata URL	SSO Configuration (Service Provider)	This is your Service Provider's metadata URL for the Descope SAML Application to dynamically retrieve the provider's details.
Enter the connection details manually	SSO Configuration (Service Provider)	If you chose to configure via this route, you will provide the ACS URL, Entity ID (regex supported), any other additional authorized callback URLs, and certificate of your Service Provider.
SAML Assertion Subject Type	SSO Configuration (Service Provider) - Advanced	The unique user identifier that you want to send back to your SP, to let it know which user is actually signing in (most commonly either Descope User ID or email)
Descope user attribute	SSO Mapping (User Attribute Mapping)	The Descope attribute to map to the SP user value
SP user value	SSO Mapping (User Attribute Mapping)	The SP user value which the Descope attribute will be mapped to.
Descope Roles	SSO Mapping (Group Mapping)	The Descope roles which you'd like to map to the SAML group.
SAML XML group	SSO Mapping (Group Mapping)	The SAML group you would like to map the Descope roles to.

Example Configuration

For this example, we will assume that you are building an Application within Descope to connect to ExampleServiceProvider.

Configure Service Provider Details

We will utilize the service provider's metadata URL, which will be https://exampleserviceprovider.com/saml/metadata; however, if you would rather, you can use the service provider's ACS URL, Entity ID (regex supported), and Certificate.

Configuring the service provider's metadata URL for a SAML Application within Descope.

Advanced

Many SPs such as Zendesk, Freshworks, etc. will require that you use the user's email as the NameID subject in the SAML assertion, so they know which user has signed in with Descope. You can adjust which user attribute you wish to use for your service provider (SP), either User ID, Email, or Phone.

Configure User Attribute Mapping

We will then configure the SSO Mapping for the user's attributes. We will map some of the Descope user attributes to attribute keys expected by the service provider. Below you can see an example of the email, display name, and phone number being mapped to values expected by the service provider. For this example, ExampleServiceProvider expects email, name, and phone.

Configuring user attribute mapping for a SAML Application within Descope.

Configure Group Mappings

We will then configure the SSO Mapping for the groups. We will map some of the Descope groups to attribute keys expected by the service provider. Below you can see an example of groups being mapped to values expected by the service provider. For this example, ExampleServiceProvider expects groups to be mapped to the groups attribute. After configuring the group mappings, we will save our configuration of the SAML application.

Configuring group mapping for a SAML Application within Descope.

Configuring Service Provider

There are three ways to configure your service provider:

Metadata URL

Using metadata URLs is the easiest approach to utilize the SAML application's Descope XML URL which can be found on within the console for your SAML application. The URL would look like https://api.descope.com/v1/auth/saml/idp/metadata?projectId=xxxxx&ssoAppId=yyyy.

Download the Metadata XML

You can also configure your SP with the downloaded metadata XML here:

Use Public Certificate or Fingerprint Hashes

Finally, you can configure your SP by downloading the public certificate or fingerprint hashes (if you're SP requires SHA1 or SHA256 Fingerprint Hashes) and manually copying the Descope SAML application's entity ID and SSO URL.

Once you have configured your service provider per one of these methods, you are now ready to use SAML within the service provider's application.

If you're configuring your SP manually not using the metadata URL, you must at least configure a single ACS URL and Entity ID. The entity ID field supports wildcards as well, if you would like to include multiple subdomains as an Entity ID.

NOTE: As you can see, you can use regex expressions in the Entity ID field.

You can also add a certificate as well as optional additional ACS URLs as well, in the field below.

NOTE: As you can see, you can use regex expressions in the Additional ACS URL field, and add as many additional ACS URLs as necessary.

IdP Initiated SSO

We have created an application that you can clone and deploy on Vercel, which will render a list of applications that a user has access to. This application allows users to use IdP-initiated SSO to sign in directly. For more details, visit the GitHub README.

Descope supports IdP-initiated SSO as a SAML provider. This means you can start from anywhere, and by navigating to the IdP-initiated SSO URL, you can step through a Descope flow, sign in, and be automatically signed into any SAML application configured with Descope.

Every SAML application will have a link like this under the Identity Provider settings: https://api.descope.com/v1/auth/saml/idp/initiate?app=P2NvMv9S3-SA2hNtkVFXq3X3X.

Custom Parameters

The IdP-initiated SSO link can be customized with various query parameters to create a dynamic login experience for your users, including Tenant and Default Relay State.

Tenant

The Tenant parameter allows you to specify the tenant dynamically. This value is passed into the flow hosted at your Flow Hosting URL, directing users to sign in with a specific tenant without requiring them to input their email address.

Example:

https://api.descope.com/v1/auth/saml/idp/initiate?app=P2NvMv9S3-SA2hNtkVFXq3X3X&tenant=<tenant name, email domain, or tenant id>

Default Relay State

The Default Relay State parameter determines where users will be redirected after signing in with Descope using IdP-initiated SSO. This can be modified so different users are directed to different instances of your application.

Example:

https://api.descope.com/v1/auth/saml/idp/initiate?app=P2NvMv9S3-SA2hNtkVFXq3X3X&defaultRelayState=https://example1.app.com

Use Cases for IdP-Initiated SSO with Descope

Seamless Access to Multiple Applications:
- Organizations with multiple internal applications can provide users with a single IdP-initiated SSO URL. Users can sign in once and gain access to all the applications they are authorized to use.
Tailored Login Experiences for Different User Groups:
- By using the Tenant parameter, you can direct different groups of users to specific login flows. For example, employees from different departments can be directed to tenant-specific login pages, improving user experience and security.
Custom Post-Login Redirection:
- The Default Relay State parameter allows for custom redirection after login. This is useful for organizations that want users to land on specific dashboards or application instances based on their role or department.
Streamlined Partner and Vendor Access:
- Provide partners or vendors with specific IdP-initiated SSO URLs that include the appropriate Tenant and Default Relay State parameters. This ensures they are directed to the correct application environment, reducing confusion and access issues.

Was this article helpful?Yes No