SAML 2.0
Enterprise single sign-on with any SAML-compatible identity provider
What's This For?
SAML (Security Assertion Markup Language) is the industry standard for enterprise single sign-on. If you're using Okta, OneLogin, Azure AD (for SAML), or any other enterprise identity provider, chances are they support SAML 2.0.
SAML vs LDAP: SAML is web-based and designed for SSO across applications. LDAP is a direct connection to a directory. For network device authentication, Warden uses SAML for the identity verification step, then returns RADIUS attributes to your network equipment.
Supported Identity Providers
We've tested with these providers, but any SAML 2.0 compliant IdP should work:
- Okta
- Azure AD (SAML app)
- Google Workspace (SAML app)
- OneLogin
- Auth0
- Ping Identity
- JumpCloud
- Shibboleth
Before You Start
You'll need from your Identity Provider:
- IdP Entity ID - The unique identifier for your identity provider
- SSO URL - Where to send authentication requests
- X.509 Certificate - For verifying SAML responses
- Attribute mappings - What user attributes you want Warden to receive
You'll provide to your Identity Provider:
- ACS URL - Where your IdP sends responses back to Warden
- SP Entity ID - Warden's identifier as a Service Provider
Setting Things Up
Step 1: Get Warden's SAML Details
First, gather the information your IdP needs. In Warden:
- Go to My Providers
- Click Add Provider
- Select SAML 2.0
You'll see your Service Provider details:
SP Entity ID: https://your-warden-server/saml/metadata
Metadata URL: https://your-warden-server/saml/metadata
Pro Tip: Many IdPs can import our metadata URL directly. This auto-configures the ACS URL, Entity ID, and certificate without manual copying.
Step 2: Configure Your Identity Provider
Create a new SAML application in your IdP. Here are the key settings regardless of which provider you use:
emailAddress or unspecifiedHTTP-POSTStep 3: Configure Attribute Mapping
Tell your IdP what user information to send to Warden:
email, userName, NameIDemail, mailgivenName, firstNamesurname, lastName, sngroups, memberOfStep 4: Get IdP Details
From your IdP, you'll need:
- IdP Entity ID - Sometimes called Issuer
- SSO URL - The login endpoint
- X.509 Certificate - For signature verification (PEM format)
Metadata makes it easy: Most IdPs provide a metadata URL that contains all these details. If Warden can import the metadata, you won't need to copy things manually.
Step 5: Complete Warden Configuration
Provider-Specific Tips
Okta
- Create a new SAML 2.0 app in the Okta Admin Console
- Use "Custom" app type if Warden isn't in their catalog
- Get the IdP metadata from the app's "Sign On" tab
- Okta sends groups in the
groupsattribute by default
Azure AD
- Create an "Enterprise Application" with SAML SSO
- The Entity ID is under "Basic SAML Configuration"
- Download the certificate from "SAML Signing Certificate"
- Use
user.mailfor email attribute mapping
Google Workspace
- Go to Apps → Web and mobile apps → Add app → Add custom SAML app
- Google provides the metadata in step 1 of the wizard
- Configure Service Provider details in step 3
- Set up attribute mapping in step 4
Testing SAML
- Save your identity provider configuration
- Click Test Connection from the menu
- You'll be redirected to your IdP's login page
- Log in with valid credentials
- If successful, you'll be redirected back with user details
Success! You'll see the user's attributes as received from the IdP. Verify that username, email, and groups look correct.
Troubleshooting
"Invalid Signature" or "Signature Verification Failed"
What's happening: The certificate doesn't match the SAML response.
Things to check:
- Is the certificate in PEM format with BEGIN/END markers?
- Did you copy the entire certificate including the markers?
- Has the IdP certificate been rotated? Download a fresh one.
- Are there extra line breaks or whitespace?
"Audience Restriction" or "Invalid Audience"
What's happening: The Entity ID doesn't match.
Things to check:
- Does the SP Entity ID in Warden match the Audience/Entity ID in your IdP?
- Watch out for trailing slashes -
.../metadatavs.../metadata/ - URLs must match exactly, including http vs https
"Assertion Expired" or "Invalid Timestamp"
What's happening: Clock skew between Warden and your IdP.
Things to check:
- Is Warden's server time correct? Check NTP synchronization.
- SAML assertions typically expire in 5-10 minutes
- Check your IdP's assertion validity settings
"Attribute Not Found" or Missing Username
What's happening: The attribute mapping doesn't match.
Things to check:
- Open browser dev tools and look at the SAML response
- Find the actual attribute names being sent
- Update Warden's attribute mapping to match
Redirect Loop or "No Response"
What's happening: The ACS URL isn't configured correctly.
Things to check:
- Is the ACS URL in your IdP exactly matching Warden's expected URL?
- Check IdP logs for errors posting to the ACS URL
- Verify Warden is accessible from the IdP's network
Security Best Practices
- Always verify signatures - Never disable signature verification in production
- Use HTTPS everywhere - Both for your IdP and Warden endpoints
- Watch certificate expiration - Set a calendar reminder before your IdP cert expires
- Short assertion validity - Configure 5-10 minute validity windows
- Enable Single Logout (SLO) - Properly terminate sessions on logout
- Restrict IdP app access - Only assign the SAML app to users who need it
- Monitor authentication logs - Watch for unusual patterns or failed attempts
What's Next?
- Create a policy using your SAML provider
- Add your network devices
- Configure response attributes based on SAML groups