SAML Provider

LoginRadius Identity Platform offers robust support for SAML 1.1 and SAML 2.0 protocols, enabling flexible and secure integrations with custom SAML-based identity systems. Whether you're acting as a Service Provider (SP) or an Identity Provider (IdP), LoginRadius makes it easy to authenticate users via enterprise-grade SSO solutions.

With full support for IDP-initiated and SP-initiated flows, customizable assertions, and seamless integration with third-party SAML providers, you can deliver a streamlined and secure login experience tailored to your organization’s needs.

Key Features

• Supports IDP-initiated and SP-initiated SAML flows for maximum flexibility

• Customizable assertions, certificates, and endpoints via the LoginRadius Console

• AutoLookup for automatic redirection based on user email domain

• Seamless integration with third-party and enterprise SAML providers

• Certificate renewal and RelayState parameter support for enhanced security and control

Use-Cases

This section outlines common business scenarios where a custom SAML provider can be used, helping you identify when and why to implement this functionality.

• Integrating enterprise IdPs like ADFS, PingFederate, or custom-built SAML providers

• Offering Single Sign-On (SSO) to internal or partner applications

• Allowing users to authenticate via federated identity from an external system

• Automatically route login attempts based on email domain using AutoLookup.

Configuration Guide

This section covers the full setup process, including the LoginRadius Console configuration and the necessary changes in your third-party SAML application.

LoginRadius Config

Step 1: Navigate to Configuration

1. Log in to the LoginRadius Console.
2. Navigate to the Authentication->Custom IDPs
3. Click on the Add Custom IDP
4. Select the Custom SAML Provider from the list

Step 2: Manually configure the SAML provider or upload a Metadata file.

Step 3: Configure Basic Settings

• Login Flow: Select your desired SAML flow (IDP or SP initiated).

• Provider Name: This is a unique app identifier.
  Validation Rules:

  • Use only lowercase letters.

  • Must start with a character

  • Hyphens (-) and underscores (_) are allowed

  • No spaces

  • Length: 1–60 characters

• Display Provider Name (Optional): Custom label for display on IDX or V2.js forms.

Step 4: Identity Provider Details

• ID Provider Binding: Select from the dropdown.

• ID Provider Location: Paste the SSO endpoint.

• ID Provider Logout URL: Enter the sign-out endpoint.

• ID Provider Certificate: Paste the SAML certificate here.

  • To renew, click the “Renew Certificate” button.

Step 5: AutoLookup (Optional)

• Enable AutoLookup to route users based on domain.

• Enter a domain (e.g., company.com).

• If matched during login, users are redirected to this IdP.

  Note: The provider will no longer show on social schema.

Step 6: Advanced Settings

• RelayState Parameter: Enter a static value (e.g., RelayState).

  Data Mapping: Map IdP fields to LoginRadius fields.

  Email → email
  FullName → username

• Click Save to apply your configuration.

SAML Provider

Replace <LoginRadius Site Name> and <SAMLAppName> accordingly. If you're using a Custom Domain, update the URLs accordingly.

Step 1: Identity Provider Login URL (SSO)

https://<LoginRadius Site Name>.hub.loginradius.com/service/saml/idp/login?appname=<SAMLAppName>

Step 2: Certificate

• Download the metadata file from the Console.

• Extract the certificate and upload it into your SAML Service Provider settings.

Step 3: Issuer / EntityID

https://<LoginRadius Site Name>.hub.loginradius.com/

• If using a custom EntityID, add it in the App Audiences field on LoginRadius.

Step 4: Binding

• SSO Binding: HTTP-POST

Step 5: RelayState

• Enter: redirect or your application-specific value.

Step 6: Logout URL

https://<LoginRadius Site Name>.hub.loginradius.com/service/saml/idp/logout?appname=<SAMLAppName>

• If SLO is supported, use the same URL for the logout endpoint in your SP.

Note: After renewing a certificate in LoginRadius, always update it in your connected SP applications.

Integration Details

This section provides practical tips on integrating the SAML provider into your application.

Hosted Pages Integration

If you're using LoginRadius Hosted Pages, the SAML provider can appear as a login option on the login screen, just like any other social provider.

Show SAML Provider in Hosted Login UI

To make your SAML provider visible on the hosted login page:

• While configuring your SAML provider in the Console, ensure the option “Include in Social Schema” is enabled.

• This will display the SAML provider button on your hosted login screen.

• Users will be redirected to the configured SAML IdP and complete the authentication flow when they click the button.

Using Programmatic Link

You can also manually initiate SAML login flows via custom buttons or links within your app.

Link Format:

https://<Site-Name>.hub.loginradius.com/RequestHandler.aspx?apikey=<LoginRadius API Key>&provider=<Provider Name>

In the above, replace <your LoginRadius Site Name> with your actual LoginRadius site name, <your LoginRadius API Key> with your API key, and <Provider Name> with the lowercase name of the custom IDP.

Related Resources

• Custom IDP Overview

• Generating a Certificate

• Custom Domains and SSL Setup

• SSO Overview