1. SAML IdP Overview

Cloudentity SAML IdP services facilitates exchange of authentication and authorization information across different organizations with different security domains.

SAML is an XML based language to exchange security assertions. SAML defines following actors:

  • principal ⇒ end user trying to access a resource.

  • service provider ⇒ web resource that the principal is trying to access.

  • identity provider ⇒ server that holds the principal’s identities and credentials.

In this service, Cloudentity acts as the identity provider to generate SAML assertion responses and provide it to any trusted SAML service providers.

2. SAML Profile

One of the most widely used SAML profiles is Web Browser SSO Profile. Cloudentity IdP services supports both variants of the Web Browser SSO Profile

  • SP-Initiated SSO

  • "IdP-initiated" or "Unsolicited" SSO.

2.1. SP-initiated SSO

In SP-initiated SSO, the user attempts to access a resource on the SP. However they do not have a current logon session on this site and their federated identity is managed by their IdP. They are sent to the IdP to log on and the IdP provides a SAML web SSO assertion for the user’s federated identity back to the SP.

saml sso sp initiated

2.2. IdP-initiated SSO

In an IdP-initiated use case, the identity provider is configured with specialized links that refer to the desired service providers. These links actually refer to the local IdP’s Single Sign-On Service and pass parameters to the service identifying the remote SP. So instead of visiting the SP directly, the user accesses the IdP site and clicks on one of the links to gain access to the remote SP. This triggers the creation of a SAML assertion that will be transported to the service provider using the HTTP POST binding.

saml sso idp initiated

3. Configuration

Following steps need to be done to set up Cloudentity as external IdP for any SAML Service Provider.

3.1. Steps

  • Get SAML Metadata from Cloudentity IDP. Learn more

    • IdP SAML metadata (SAML)

    • IdP Certificate

  • Register Cloudentity as Identity Provider in SAML Service provider

    • Follow steps provided by your SAML service provider to complete this

  • Download SAML metadata from external SAML service provider

    • Follow steps provided by your SAML service provider to complete this.

  • Register external SAML service provider within Cloudentity. Learn more

  • Verify Single Sign On via either SP initiated or Idp initiated sso mechanisms. Learn more

Above outlined workflow is the default workflow. Workflows and redirects may be modified per Identity Provider configuration, using advanced settings within Cloudentity system based on custom business requirements.

3.2. Federation Management Admin User Interface

Cloudentity administrative UI application provides a simple user interface to manage external third party SAML service provider agreement and mapping information. Administrative users need to have proper entitlement to act on specific actions. Each of these actions in UI are mapped directly to specific entitlements for user to allow fine grained access control of these operation from an administrative panel.

  • List Service Providers

  • Get Service Provider

  • Register Service Provider

  • Update Service Provider

  • Delete Service Provider

List Service Providers

User Entitlement: ADMIN_LIST_SPS
Admin UI Location: Admin dashboard >> Service Providers

List External Sp for Organization

Get Service Provider

Entitlement: ADMIN_GET_SP
Admin UI Location: Admin dashboard >> Service Providers >> [Select one from list of Sps]

Get External Sp Configuration for Organization
Register SAML as Identity Provider

Register Service Provider

Entitlement: ADMIN_CREATE_SP
Admin UI Location: Admin dashboard >> Service Providers >> Register Service Provider

Register External Sp Configuration for Organization

Update Service Provider

Entitlement: ADMIN_UPDATE_SP
Admin UI Location: Admin dashboard >> Service Providers >> [Select one from list of Sps] >> Update SP

Update External Sp Configuration for Organization
Update External Sp Configuration for Organization

Delete Service Provider

Entitlement: ADMIN_DELETE_SP
Admin UI Location: Admin dashboard >> Service Providers >> [Select one from list of Sp] >> Delete SP

Delete External Idp Configuration for Organization

3.3. Download Cloudentity IdP SAML Metadata

Cloudentity SAML metadata information has to be provided to SAML Service Provider for registering Cloudentity as Identity Provider.

Cloudentity metadata can be downloaded from Cloudentity System either via:

  • Administrative UI

saml idp download metadata

  • API Call

    • Get IdP Metadata

GET https://<cloudentity-saml-idp-host>/saml/metadata
  • Get IdP Certificate

GET https://<cloudentity-saml-idp-host>/saml/certificate

3.3.1. Sample metadata

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" entityID="https://ecs.cylance.cloudentity.com/saml">
   <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
         <shibmd:Scope regexp="false">ecs.cylance.cloudentity.com</shibmd:Scope>
         <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm" />
         <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm" />
         <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm" />
         <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
         <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
         <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
         <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
         <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep" />
         <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
      <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML1/SOAP/ArtifactResolution" index="1" />
      <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/SOAP/ArtifactResolution" index="2" />
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/Redirect/SLO" />
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/POST/SLO" />
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/POST-SimpleSign/SLO" />
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/SOAP/SLO" />
      <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://ecs.cylance.cloudentity.com/saml/profile/Shibboleth/SSO" />
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/POST/SSO" />
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/POST-SimpleSign/SSO" />
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/Redirect/SSO" />
   <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
         <shibmd:Scope regexp="false">ecs.cylance.cloudentity.com</shibmd:Scope>
      <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML1/SOAP/AttributeQuery" />
      <!-- <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/SOAP/AttributeQuery"/> -->
      <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above -->
</EntityDescriptor> SAML Metadata terms
Name Description


Unique name representing a party in federation agreement


Format of the attribute for NameID in SAML response assertion

SingleSignOnService Url

SAML assertion producer endpoint after login. This value can be found within the Location block of SingleSignOnService
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ecs.cylance.cloudentity.com/saml/profile/SAML2/POST/SSO"/>

3.4. Verify SAML Authentication flow

  1. Initiate Cloudentity IdP authentication process either from Service Provider website or from IdP hosted website. Learn more about these flows at - SAML flows

    1. SP Initiated SSO

      Navigate to SP website and start authentication process.
    2. IdP Initiated SSO

Navigate to IdP portal page and click on url that redirects to SP website OR launch below URL with your registered SP entity Id.



  1. User will be redirected to Cloudentity IdP to complete authentication process and on completion, user will be by redirected to external Service Provider page.

3.5. SAML Debugging tools

There are several SAML browser tools available to trace SAML assertions for federations based on SAML.



4. SAML Integration Examples

4.1. Salesforce

Salesforce can be configured to authenticate with Cloudentity as single sign-on (SSO) identity provider , allowing end users to easily and securely access Salesforce.

Below steps are for guidance reference and latest Salesforce documentation must be followed to complete below setup

  1. Fetch Cloudentity SAML metadata & IdP certificate

  2. Login to Salesforce and set up a new SAML Single Sign On under Security Controls, if a setup does not already exist for the IDP

salesforce single sign on settings
salesforce create new
  1. Upload Cloudentity Metadata and set up Salesforce for consuming SAML assertions, JIT etc

salesforce after registration
Based on location SAML Identity Type & Location, registration mapping within Cloudentity should be adjusted as well.
  1. Configure Salesforce domain settings to allow the newly set up IdP as one of the authentication mechanisms

salesforce list domain for sign in
salesforce view domain for sign in
salesforce edit domain for sign in
After this is setup, the selected Identity Providers will be available in Salesforce login page as supported authentication providers
  1. Register Salesforce as an SAML SP in Cloudentity Learn more

Mappings are important based on organization’s preference on how to map user & profile attributes.If JIT is not enabled, its critical that the salesforce user information can be matched up based on the mapping in SAML assertion
Table 1. [SP Configuration Fields]
Cloudentity Field Name Salesforce Field Name Data Source













Identifier from attribute must be set to true if NameID needs to be released and set in SAML response assertion Identifier attribute defines the authenticated session attribute that will be used to set the value of NameID
  1. Verify authentication using either

    1. SP initiated SSO

    2. Idp initiated SSO

4.1.1. Troubleshooting

Salesforce related errors:

5. Learn More