Security Assertion Markup Language (SAML) single sign-on (SSO) can be set up by developer(s) or IT personnel in the Admin app after you've enabled the SAML Integration feature on the Features page. The developer or IT personnel will configure the SAML settings, including service provider (SP), identity provider (IdP), and any attributes.

This article provides configuration details for the Widen Collective to act as an SP, or relying party, for a SAML version 2.0-compliant identity server.

Refer to the SAML SSO Configuration for ADFS article for technical details about configuring a SAML SSO for ADFS.


Common terms

The following are terms and definitions for those terms.

Service provider
Server or application that is requesting authentication for a user
Identity provider
Server that is capable of performing authentication
XML documents that describe capabilities and specific details for SP or IdP servers

Implemented capabilities

The Collective will redirect unauthenticated users to your IP server to be authorized. After successful authentication, users are redirected back to the Collective to start using the application.

In more technical terms, the Collective uses the SAML web browser SSO profile that:

  • Is initiated by an SP
  • Uses a redirect binding to the IdP
  • Uses a POST binding for the consumer assertion service

Binding is described in section 5.1.2 on pages 26 to 30 of the standards SAML technical document on the Oasis Foundation website.

Best practices are described on the InteroperableSAML 2.0 website.


Service provider configuration

To complete the SP configuration, the following information is required from your SP server:

  • Issuer/entity ID
  • Name ID format
  • A registration code

The following SP information can also be entered:
  • SP metadata
  • An SP-initiated URL
  • A logout redirect URL
  • Assertion consumer service URLs

Metadata import

Collective SP metadata is available directly from our application at https://{name}

If you're unable to import SP metadata from a URL, your customer success manager can supply an XML document.

Manual configuration

The SP metadata file includes the information below. You can skip this configuration if your IdP supports SP metadata import.

Issuer/entity ID
Assertion consumer service URL
POST binding

Single logout service redirect URL

REDIRECT binding

Name ID format
Help Desk Support

Identity provider configuration

To complete the IdP configuration, this information is required from your IdP server:

  • HTTPS service authorization endpoint
  • Metadata endpoint
  • Certificate files
  • A support email address users can contact if they have issues authenticating into your system

Attributes configuration

Returned attributes should use the given name listed in the table below. Email address and first and last name are required attributes, but the others listed can be included. The friendly name is the user interface value displayed in ADFS.

Field Name
Email address*
First name*
Last name*
Street Address
ZIP/Postal Code
*Required field

Send user roles via claims

When SAML is used for authentication, users can be assigned roles in the active directory that specifies the access they have in the Collective. We accept a group of user authorization roles using the attribute name listed in the table above. Each time a user is authenticated via SAML SSO, the Collective performs these actions:

  • SAML role names are compared to Collective role names. SAML role names that match are considered valid and are used for further processing.

  • If there are no valid roles, the user’s Collective role assignments are left as is. (A Collective configuration point, defaulted to zero, stops the login process if a minimum number of roles is not matched.)

  • If there are more than one valid, the user’s Collective role assignments are updated to match the SAML roles. This may involve adding and/or removing some roles for the user.