Breadcrumbs

Set Up SSO with Any IdP (SAML)

Enpass Admin Console supports SSO with any Identity Provider that implements the SAML 2.0 standard. If your IdP is not listed as a preset option, use the Other option during setup and follow this guide.

You'll need:

  • Super Admin access to the Enpass Admin Console

  • Admin access to your Identity Provider

Phase 1: Start the SSO Connector in Enpass

  1. Log in to the Enpass Admin Console.

  2. Navigate to Settings > Single Sign-On.

  3. Click Set Up to open the SAML Configuration dialog.

  4. Enter a name for your configuration, select Other as the Identity Provider, and click Continue.

  5. On the next screen, you'll see your SP Entity ID and SP Assertion Consumer Service (ACS) URL. Keep this page open — you'll need these values when configuring your IdP.

Phase 2: Configure Your Identity Provider

The exact steps will vary depending on your IdP, but most SAML 2.0 providers follow a similar pattern. Refer to your IdP's documentation for specifics.

What to configure in your IdP

Setting

Value

SP Entity ID / Audience URI

Copy from Enpass Admin Console (Phase 1)

ACS URL / Reply URL

Copy from Enpass Admin Console (Phase 1)

Name ID format

Email

Name ID value

User's primary email address

Attribute mapping

Map the user's email to an attribute named email

Response signing

Sign both the SAML response and assertion

What to collect from your IdP

Once your IdP SAML app is configured, obtain one of the following to provide to Enpass:

  • Metadata URL — A URL pointing to your IdP's SAML metadata XML, or

  • Metadata file — The SAML metadata XML file downloaded from your IdP.

Tip: Make sure all admin users who need to access the Enpass Admin Console via SSO are assigned to the SAML application in your IdP before testing.

Phase 3: Finish Setup in Enpass

  1. Return to the Enpass Admin Console SSO setup page (where you left off in Phase 1).

  2. Provide your IdP metadata by either:

    • Pasting the Metadata URL, or

    • Uploading the metadata file (.xml).

  3. Click Add Configuration to save.

Test the Configuration

  1. Click Test Configuration, then click Start Test. A new tab will open and run a test sign-in through your IdP. The tab closes automatically when the test is complete.

If the test fails, check the following:

  • The SP Entity ID and ACS URL in your IdP exactly match the values from Enpass.

  • The email attribute is mapped and included in the SAML assertion.

  • The SAML response and assertion are both signed.

  • The metadata URL is publicly accessible or the metadata file is valid.

Activate SSO

  1. Once the test passes, click Activate to enable SSO login for Admin Console users.

Enforce SSO (Optional)

  1. To make SSO the only permitted login method, enable the Enforce SSO toggle on the SSO settings page. This disables email/password login for all admins.