Authio docs

For IdPs that only speak SAML 2.0. Authio mints the connection first and shows the SP values inline with copy buttons — paste them into the IdP, upload the IdP metadata back, done.

Part of Authio Lobby

SAML is the fallback for IdPs that don’t offer OIDC. Prefer One-click Microsoft for Entra and OIDC for everything else; reach for SAML when the IdP only supports it.

The wizard mints the connection first

The connection is created up front as a draft, so the service-provider (SP) values Authio generates are available immediately — no need to save half a form before you can see the Entity ID. The wizard shows them inline with copy buttons:

SP Entity ID — https://sso.authio.com/v1/sso/connections/{id}/metadata
ACS (Assertion Consumer Service) URL — https://sso.authio.com/v1/sso/connections/{id}/acs
SP metadata URL — the same /metadata endpoint, for IdPs that import SP metadata XML directly.

where {id} is the connection’s sso_… id. The admin pastes these into the IdP, uploads the IdP’s metadata XML back into Authio, and the connection flips from draft to active.

The same inline SP values appear wherever a SAML connection is managed: the org Features → Single Sign-On card’s Manage disclosure in your dashboard, the one-time SSO Setup Portal, and the embedded SSO Connection widget.

IdP-side steps

Microsoft Entra ID

Entra customers should use One-click Microsoft instead — it skips all of this. If you must do SAML manually: Entra admin center → Enterprise applications → New application → Create your own application → Single Sign-On → SAML. Paste Authio’s Entity ID into Identifier (Entity ID) and the ACS URL into Reply URL (ACS), then download the Federation Metadata XML and upload it back into Authio.

Okta

Okta admin → Applications → Create App Integration → SAML 2.0. Set Single sign-on URL to Authio’s ACS URL and Audience URI (SP Entity ID) to Authio’s Entity ID. Finish, then copy Okta’s Identity Provider metadata URL / XML back into Authio.

Google Workspace

Google Admin → Apps → Web and mobile apps → Add custom SAML app. Provide Authio’s ACS URL and Entity ID, then upload Google’s IdP metadata back into Authio. Google emits given/surname as OIDs — see SAML attribute mapping.

The redirect_uri allow-list (read this)

SAML callbacks use a different allow-list than the rest of Authio. The redirect_uri your app sends rides through the IdP round-trip as SAML RelayState and is checked at the ACS endpoint after the user authenticates — against AUTHIO_SAML_ALLOWED_RELAYSTATE_HOSTS on the SSO service, not the per-project Allowed redirect URIs table. If the callback host isn’t on that list the ACS endpoint won’t redirect and instead returns the session envelope as raw JSON. Full detail and the symptom checklist are on the SP-initiated login URL page.

Attribute mapping

Map IdP assertion attributes (NameID, email, name, role) to Authio user fields with the connection’s attribute map. Per-IdP examples for Okta, Entra, Google, and OneLogin are on the SAML attribute mapping page.

Drafts expire

A SAML draft that never gets its IdP metadata stays unconfigured; Authio auto-expires unconfigured drafts after 7 days, and you can remove a draft by hand from the org Single Sign-On list. Active connections can’t be deleted that way.

Connecting an identity provider — the three-option overview.
SAML attribute mapping.
SAML errors — what the common failures mean.

SAML connections