IPI Authentication Service (EN)
  • IPI Authentication Service for Enterprises
    • Release notes
  • Quick Start Guides
    • Key features of the IPI Authentication Service in 5 minutes
    • Setup guides
      • Hardware key setup guide
        • Admin Guide (first steps)
        • Admin Guide (advanced steps)
        • User Guide – first steps with the IPI Client
        • User Guide – first steps with the IPI Client (for PCs without internal Bluetooth)
        • User Guide (advanced steps with the IPI Client)
      • Mobile authenticator setup guide
        • Admin Guide
        • User Guide (first steps)
        • User Guide (advanced steps)
    • FIDO2 and U2F Authentication Guide
    • Quick Start Guide for subscriptions
      • Hardware key guide
      • IPI Authenticator guide
      • Passkeys Guide
    • Guide for free trial projects
      • Passkeys
      • Mobile app
      • IPI Key
  • Use cases
    • Admin cases for IPI Enterprise Server
      • Integration IES with Active Directory
      • Import and sync users from Active Directory
      • Import and sync users from Active Directory with domain password changing
      • How to enable FIDO2 passwordless authentication with Microsoft Azure AD for use with Windows 10-11
      • Emergency blocking of all computers
    • Hardware key use cases
      • Proximity settings (guide for admin)
      • End user Use cases
        • Proximity Lock
        • Proximity Unlock
        • Unlock PC by Bluetooth Touch (Tap-and-Go)
        • Unlock PC by Security Key
        • Using IPI Key as an OTP generator for your two-factor authentication
        • Using IPI Key as U2F security key for your two-factor authentication
      • Other vendors' hardware keys
    • Software key use cases
      • Mobile authenticator use cases
        • Admin cases
          • Using IPI Authenticator as your passwordless authentication method for SSO
          • Using IPI Authenticator as your two-factor authentication method for SSO
        • End user Use cases
          • Using IPI Authenticator as your passwordless authentication method for SSO
          • Using IPI Authenticator as your two-factor authentication method for SSO
          • Passwordless PC login
          • Password-based PC login
          • Login to remote PC via RDP
          • Remote PC lock
          • Using IPI Authenticator as an OTP generator for your two-factor authentication
      • Smartphone or tablet as a Passkey
  • IPI Enterprise Server
    • IPI Enterprise Server
    • Glossary
    • Deployment
      • Database installation
        • MySQL on Windows
        • MySQL on Linux
        • Microsoft SQL Server on Windows
        • Microsoft SQL Server on Linux
      • IES deployment
        • Windows
        • Linux
        • Docker
        • Deployment without Internet access
        • Troubleshooting
      • IES update
        • Windows
        • Linux
        • Docker
    • Administration
      • How to change the password for an administrator account?
      • How to recover a forgotten admin password?
      • Adding an admin account
      • Deleting an admin account
      • How to enable two-factor authentication at the IPI Enterprise Server?
      • Authorization on the IES server via a FIDO key
      • Platform authentication on the IES server
      • Connecting Linux server to Active Directory
      • Setting IES server parameters
      • Configuring DNS server
      • How to create and set Device Access Profiles
      • How to manage companies and departments?
      • How to manage Positions?
      • Enable load balancing
      • Data Protection
    • Dashboard
      • Information about the server
      • Information about employees
      • Information about devices
      • Workstations Information
    • Employees
      • How to add an Employee?
      • Employees management
      • Employee management with Active Directory
    • Workstations
      • How to add and approve Workstations?
      • Workstations management
      • Workstation Profiles
      • Use Proximity Unlock Workstations
    • Hardware Vaults
      • How to add IPI Key into the Server
      • Assign a key to the user
      • Remove the key from the Employee
      • Set a profile for a Hardware Vault
      • How to see an RFID code on the Employee key?
    • Accounts
      • Creating personal employee accounts
      • Creating shared employee accounts
      • Personal account management
      • Shared account management
      • Accounts backup and restore
      • How to work with the account template?
    • Keys Management
      • Keys Statuses
      • Transition to Reserved status
      • Keys Activation mechanism
      • Cancel issuance of IPI Key (Reserved -> Ready)
      • Transition to Suspended status
      • Transition to Locked status
      • Transition to Deactivated status
      • Transition to Compromised status
      • Removing the Locked status
      • Wipe procedure
      • Delete key from IPI Server
    • Audit
      • Workstation events
      • Workstation Sessions
      • Summaries
    • Configuring SAML Protocol
      • Use cases
        • Citrix services
        • Fortinet services
        • Configure ASA AnyConnect VPN with IPI Enterprise Server through SAML
        • Setting up SAML for GitLab on premises
      • IPI Identity Provider Settings
    • Single Sign On settings
      • How to get employee licenses
      • Admin settings
      • User settings
    • Configuration OIDC (OpenID Connect)
  • IPI Client App
    • IPI Client App
    • Windows Client deployment
      • Set up IPI Client app
      • Configuration app
      • Deploying an MSI via GPO
      • Uninstall IPI Client app
      • Uninstalling via GPO
      • Upgrade IPI Client
      • Downgrade IPI Client
    • Application interface
      • General Settings
      • Logon settings
      • Experimental settings section
        • Automatic RDP Launch and Logon
        • Password manager caching
        • FIDO key removal lock
      • Language selection
      • Configuring hotkeys
    • Account management
      • Account creation
      • Editing an Existing Account
      • Deleting your account
    • Shortcuts
    • Remote Vault connection
    • Mobile Authenticator
  • IPI Authenticator App
    • Quick overview
    • Admin guide
      • Setup for PC login scenario
        • Configuring an Active Directory Certification Authority
        • IES setup for passwordless login
        • Next steps
      • Setup for SSO scenario
    • User guide
      • Mobile App Primary Setup
      • Software key enrollment
        • SSO enrollment
          • SSO enrollment (admin account)
          • SSO enrollment (user account)
        • PC Authorization Enrollment
          • Enrollment for Passwordless PC Authorization
            • Passwordless account re-enrollment
          • Enrollment for Password-based PC Authorization
            • Account roaming
      • Login with IPI Authenticator
        • SSO login
          • SSO passwordless login
          • SSO login as a second factor
        • PC login
          • Passwordless PC login
            • Offline passwordless login
          • Password-based PC login
          • Login to the remote PC via RDP
      • PC lock
      • OTP generation
      • Software key disabling
        • PC logon disabling
        • SSO logon disabling
      • Service operations
  • IPI Key (Enterprise Edition)
    • IPI Key (Enterprise Edition)
    • Technical Specifications
      • Technical specifications IPI Key 3
      • Technical specifications IPI Key 4
    • Principles of operation
    • Device Layout
    • Battery maintenance
    • IPI Key modes
    • How to update the IPI Key (Enterprise) firmware
    • How to enter credentials with the IPI Key
    • How to unlock PC
    • Key for Physical doors
  • Product Updates
    • Product updates
    • IPI Enterprise Server updates
    • IPI Key firmware updates
    • IPI Client updates
    • IPI Authenticator updates
  • API
    • IPI Enterprise Server web API
  • FAQ
    • How-to's
      • How to add an Employee?
      • How to add personal user account on IES?
      • How to assign IPI Key to a user?
      • How to activate IPI Key?
      • How to unlock IPI Key on IES?
      • How to unlock PC with IPI Key?
      • How to setup proximity PC unlock?
      • How to use IPI Key on remote PC?
      • How to enroll the IPI Authentication app on IES for SSO?
      • How to login on IES with IPI Authenticator?
      • How to enroll the IPI Authentication app for PC login?
      • How to login to PC with IPI Authenticator?
    • IPI Client App
      • What do I do if I see the message "Connection failed. Trying to re-bond device"?
      • What do I do if the connection with the IES server cannot be established?
      • What should I do if the Password Manager menu item is not displayed?
    • IPI Enterprise Server
      • How to view logs at IPI Enterprise Server?
    • IPI Authenticator
      • QR code is not displayed at the credential provider on my PC
      • I have registered successfully but cannot login
      • What do I do if I changed domain and cannot login now
    • IPI Key
      • What physical conditions are dangerous for the IPI Key?
      • Is the IPI Key allowed on planes?
  • Documentation portal
Powered by GitBook
On this page
  • Configuring IPI Server as an Identity Provider (IdP)
  • Adding SP (Service Provider)
  • Here's a list of web applications (SP) where IPI Server can be implemented as an Identity Provider (IdP):
  1. IPI Enterprise Server

Configuring SAML Protocol

IPI Enterprise Server – SAML Protocol

IPI Enterprise Server supports the SAML 2.0 (Security Assertion Markup Language) standard for user authentication. IPI is an Identity Provider (IdP) that enables SSO for all web applications Service Provider (SP) supporting SAML 2.0.

To set up IPI Server as an IdP, follow these steps:

  • Configuring IPI Server as an Identity Provider (IdP)

  • Adding SP (Service Provider)

  • Use cases of integration IPI as IdP on web services

When a user logs into an application through SAML, the IPI ( as an IdP) transmits a SAML assertion to the user's browser, which is then forwarded to the Web application (as an SP). Then IPI Server authenticates the user.

Since IPI Server supports FIDO2 passwordless authorization, service providers automatically get the ability to authorize with hardware security keys without having to create and enter passwords.

Thanks to IPI Server's support for FIDO2 passwordless authorization, Service Providers (web applications) gain the ability to authorize users using hardware security keys, Passkey, and IPI Authenticator App, eliminating the need to create or enter passwords.

Supported sign-in options:

  • Username + password (not recommended)

  • Username + password + second factor (security key: hardware or platform, OTP, mobile authenticator)

  • Passwordless

    • Username + Security key (hardware or platform)

  • Passwordless, Usernameless (without typing login and password)

    • Security key (hardware or platform)

    • Mobile authenticator

Configuring IPI Server as an Identity Provider (IdP)

IPI Server (IdP) and Service Providers (SP, i.e., web applications) must exchange public key certificates or metadata.

  1. Go to Parameters →Settings → SAML.

  2. Here you can get the necessary data that you have to provide your Service Provider:

  • Download metadata

  • View metadata

  • Download certificate

Adding SP (Service Provider)

  1. Click Add Service Provider

  1. In the opened tab file, the corresponding fields:

Issuer - a random unique SP name you need to copy from the SP settings or extract from the metadata file.

Assertion Consumer Service – the login address on the side of the service provider. Redirection is done to this address following the successful login through the IPI Server. Single Logout Service – the address to log out of the account. If you exit IPI Server, this URL is opened in the loop for all web applications. Public x509 Certificate – the public key certificate of the service provider.

Some Service Providers provide users with metadata files. In this case, all required fields will be filled in automatically after importing the metadata file.

Otherwise, you can configure settings manually. In this case, the settings depend on the specific Service Provider.

You can download metadata files from your computer:

  1. Attribute Mapping

When a user authenticates through SAML, IPI Server generates a SAML assertion that contains information about the user (such as their name, email, roles, etc.). Attribute Mapping specifies how these attributes are matched and passed from the IPI Server (IdP) to the SP, and how they are subsequently used by the SP for authorization and access control.

  1. Assertion Attributes.

These attributes are provided by the IPI Server (IdP) in a SAML assertion to the Service Provider (SP) during the authentication process. The Service Provider uses these attributes to make authorization decisions and personalize the user's experience within the application.

Attribute names and formats are typically defined and agreed upon by IPI Server (IdP)and SP during the configuration of the SAML integration. This allows for seamless information exchange between the two entities.

Attribute Mapping and Assertion Attributes could be configured automatically after downloading the metadata file.

After filling in and saving all the settings, you can check the integration by logging into the service provider. You should be redirected to the IES authentication page, where you will need to enter your username (email) and pass the security key verification.

Please, see some use cases for how to configure IPI as IdP on web services:

  • Citrix

  • Fortinet

  • ASA AnyConnect VPN

  • GitLab on premises

Here's a list of web applications (SP) where IPI Server can be implemented as an Identity Provider (IdP):

  1. Microsoft Office 365

  2. Salesforce

  3. Slack

  4. Dropbox business DDropbox Businessropbox businesshttps://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwiR6OXayK-CAxXQBKIDHVrnOA8YABAAGgJsZQ&gclid=Cj0KCQiAuqKqBhDxARIsAFZELmLzMG2aMp1UMyIR60wF83b-leTmkt4gzOuvoMnBrPnD9E3sTAhF6kQaAlFpEALw_wcB&ei=-vVIZZ3dJM_XwPAPrNul4AM&ohost=www.google.com&cid=CAESVuD2AYTCfZVi341CIplY57k9Pfv8RI7Jt0BBVBh4E6zpTnLFMHkCeFAlkiDqmvZqfRJutawE1FPyzaZDw5L1SOgW5238rc8gcS9mqMWWwM87JH31XTy-&sig=AOD64_2_M0P1LIu40mOOL4uhMZ1ZCv1-ng&q&sqi=2&adurl&ved=2ahUKEwidwtzayK-CAxXPKxAIHaxtCTwQ0Qx6BAgIEAE

  5. Zoom

  6. Atlassian (Jira, Confluence)

  7. Amazon Web Services (AWS)

  8. GitHub

  9. GitLab

  10. Zendesk

  11. VMware

  12. Adobe Creative Cloud

  13. Box

  14. Okta

  15. Cisco Webex

While the list provided is not exhaustive, each web service may have its own specific configuration. If you require assistance in integrating your web app with IPI Server using SAML, don't hesitate to contact us. We're here to help.

PreviousSummariesNextUse cases

Last updated 1 year ago