SAML 2.0 Authentication
AxonFlow supports SAML 2.0 (Security Assertion Markup Language) for enterprise authentication, enabling secure federated identity with your corporate identity provider.
What is SAML?
SAML 2.0 is an industry-standard protocol for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It enables secure single sign-on without transmitting passwords.
Benefits
Security
- No passwords transmitted - Cryptographic assertions instead of credentials
- Signed assertions - Tamper-proof authentication tokens
- Encrypted data - Optional encryption for sensitive attributes
- Certificate-based trust - Established trust via X.509 certificates
Enterprise Integration
- Industry standard - Works with any SAML 2.0 compliant IdP
- Attribute mapping - Map IdP attributes to AxonFlow user properties
- Group claims - Sync group memberships for role assignment
- Just-in-time provisioning - Create users on first login
Supported Identity Providers
| Provider | SP-Initiated | IdP-Initiated |
|---|---|---|
| Okta | ✅ | ✅ |
| Azure AD (Entra ID) | ✅ | ✅ |
| OneLogin | ✅ | ✅ |
| Ping Identity | ✅ | ✅ |
| ADFS | ✅ | ✅ |
| Shibboleth | ✅ | ✅ |
SAML Flow
SP-Initiated SSO
User starts at AxonFlow and is redirected to IdP:
1. User → AxonFlow (request access)
2. AxonFlow → IdP (SAML AuthnRequest)
3. User → IdP (authenticate)
4. IdP → AxonFlow (SAML Response with Assertion)
5. AxonFlow → User (session created, access granted)
IdP-Initiated SSO
User starts at IdP and clicks AxonFlow app:
1. User → IdP (click AxonFlow app)
2. IdP → AxonFlow (SAML Response with Assertion)
3. AxonFlow → User (session created, access granted)
Configuration Overview
AxonFlow as a SAML Service Provider requires:
| Setting | Description |
|---|---|
| Entity ID | Unique identifier for AxonFlow SP |
| ACS URL | Assertion Consumer Service endpoint |
| IdP Metadata | Your IdP's SAML metadata |
| Certificate | IdP's signing certificate |
Your IdP requires:
| Setting | Description |
|---|---|
| SP Entity ID | AxonFlow's entity ID |
| ACS URL | AxonFlow's assertion consumer URL |
| Attribute Statements | User attributes to include |
Certificate Management
SAML relies on X.509 certificates for signing and verifying assertions. Proper certificate lifecycle management is critical for uninterrupted SSO.
Certificate Rotation
Rotate certificates before expiry to avoid authentication outages:
| Step | Action | Timing |
|---|---|---|
| 1 | Generate new certificate | 30 days before expiry |
| 2 | Upload new certificate to AxonFlow as secondary | 30 days before expiry |
| 3 | Update IdP with new certificate | 14 days before expiry |
| 4 | Promote new certificate to primary in AxonFlow | 7 days before expiry |
| 5 | Remove old certificate | After expiry |
AxonFlow Enterprise supports dual certificates during rotation, so authentication continues uninterrupted while both the old and new certificates are active.
Certificate Expiry Monitoring
AxonFlow tracks certificate expiry and raises alerts:
| Alert | Trigger | Action |
|---|---|---|
| Warning | 30 days before expiry | Plan rotation |
| Critical | 7 days before expiry | Rotate immediately |
| Error | Certificate expired | SSO will fail, rotate now |
SAML Metadata Example
AxonFlow exposes its SP metadata at a well-known URL. Provide this to your IdP during setup:
SP Metadata URL: https://your-axonflow.example.com/saml/metadata
Example SP metadata snippet:
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://your-axonflow.example.com/saml/metadata">
<md:SPSSODescriptor
AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://your-axonflow.example.com/saml/acs"
index="0" />
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Import your IdP's metadata XML via the Enterprise admin console or API to complete the trust relationship.
Enterprise Feature
| Capability | Community | Enterprise |
|---|---|---|
| SAML 2.0 SP-initiated SSO | ✅ | |
| SAML 2.0 IdP-initiated SSO | ✅ | |
| Just-in-time user provisioning | ✅ | |
| Group claim mapping | ✅ | |
| SAML assertion logging | ✅ |
SAML authentication is available exclusively with AxonFlow Enterprise. Contact sales to enable SAML for your organization.
Learn More
Enterprise customers can access detailed SAML documentation including:
- Complete setup guides for each identity provider
- Attribute mapping configuration
- Group-to-role mapping
- Troubleshooting and debugging
Access the Enterprise Documentation Portal for full implementation details.
Related
- Single Sign-On - SSO overview
- SCIM Provisioning - Automated user provisioning
- Identity Overview - Identity & Access overview