LoginRadius DocsDocs
DocumentationAPI ReferencesSDKsChangelogs
Federated SSOSAML

SP Initiated SSO

The SP-Initiated SAML Login with LoginRadius offers secure authentication for third-party applications. It streamlines Single Sign-On (SSO), allowing users to access multiple applications with just one set of credentials managed by LoginRadius. The process is fortified with strong security measures, such as signed requests and responses, ensuring safe and seamless access to protected resources.

Key Features of SP-Initiated SAML SSO

  • User-Initiated Authentication – The login process starts at the Service Provider (SP), providing a seamless and controlled authentication experience.
  • Secure Redirection to LoginRadius (IdP) – The SP securely redirects users to LoginRadius (IDP) for authentication, ensuring that the SP never handles credentials.
  • SAML Assertion Expiration (NotOnOrAfter)Assertion remains valid only for a secure timeframe, preventing reuse and enhancing security.
  • Single Logout (SLO) Support – Users can log out from all connected applications simultaneously, ensuring proper session termination across platforms.
  • Digitally Signed SAML Assertions – LoginRadius generates SAML assertions that are cryptographically signed to guarantee the authenticity and integrity of the authentication response.

Configurations

This guide will help you set up SP-initiated SAML SSO by configuring LoginRadius Admin Console and the third-party Service Provider.

  • Configure a SAML App in the LoginRadius Admin Console
  • Configure the Service Provider Application

Follow these steps to configure SP-Initiated SAML SSO in the LoginRadius Admin Console:

  1. Log in to Admin Console.
  2. Navigate to Integrations → SSO Integration.
  3. Click Add SSO Integration to configure a new SAML App.
  4. Select SAML and choose Service Provider Initiated Login from the Login Flow options.
  5. Enter a unique name in the SAML App Name field.
  6. Add the Service Provider Certificate to validate responses.

To learn more about how to generate the certificate, refer to LoginRadius SAML Certificate Guide

  1. In the Attribute Section, Map Attributes by linking LoginRadius fields with the Service Provider fields:
    • NameSP field name
    • Formaturn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
    • ValueLoginRadius mapping field
    • Static Checkbox (Optional): Keeps the value fixed if selected
  2. Select Name ID Formatpersistent (default).
  3. Set Login URL 
    https://<LoginRadius tenant name>.hub.loginradius.com/auth.aspx
  4. Set After Logout URL 
    https://<LoginRadius tenant name>[.hub.loginradius.com/auth.aspx?action=logout
    Note: This URL must be an endpoint that accepts SAML authentication requests. It is used to redirect users after they log out of the application.
  5. In the Service Provider Logout URL, enter the service provider logout URL (you will get the SLO URL from a third-party service provider). This Logout URL will be called in the Single Logout (SLO) SAML workflow.
  6. Select Default Request Binding (HTTP-POST or HTTP-Redirect as per SP configuration).
  7. Add Assertion Consumer Service (ACS) Location from the SP configuration.
  8. Select ACS Binding Type
    urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
  9. Enter Relay State ParameterRelayState
  10. Set SAML Assertion Expiration (1-70 minutes; default: 5 minutes).
  11. Enter App AudiencesEntityID of your Service Provider.
  12. Select SSO MethodHTTPPost. And save the configuration.

After setting up `LoginRadius as IdP, configure your third-party Service Provider (SP).

  1. Set Identity Provider Login URL (SSO Endpoint):

    https://<LoginRadius tenant name>/service/saml/idp/login?appname=<SAMLAppName>

  2. Use the LoginRadius certificate in the Service Provider.

    • Download the metadata file from the Admin Console to obtain the certificate.

  3. Set Issuer or EntityID:

    https://<LoginRadius tenant name>.hub.loginradius.com/

  4. Select SSO Binding Type: HTTP-POST.

  5. Set SAML Relay State: redirect (SP-specific).

  6. Configure Logout URL:

    https://<LoginRadius tenant name>/service/saml/idp/logout?appname=<SAMLAppName>

  7. If SP supports Single Logout (SLO), use the same Logout URL.

For more details on configuration options and terms used during the setup, refer to SAML Configuration Key Points.

SP-Initiated SAML Workflow

In this workflow, the Service Provider (SP) initiates authentication by sending a signed SAML request to the Identity Provider (LoginRadius). After successful authentication, the IdP responds with a signed SAML assertion, granting the user access to the requested resources.

Refer to the following workflow to understand the SP-Initiated SAML process between LoginRadius(IdP) and the Service Provider.

1. User Initiates Login :

  • The user starts authentication by clicking the login link on the Service Provider login page.

2. Service Provider Creates SAML Request :

  • The Service Provider generates a SAML authentication request. It signs the request using its private key and provides its public key certificate to the LoginRadius(IdP) for verification if required. The SP then sends the SAML request to the IdP.

3. Identity Provider Validates Request:

  • The LoginRadius(IdP) receives the SAML request and, if signed, verifies the signature to ensure its authenticity before proceeding with authentication.

4. Redirect to the Login Page

  • The user is redirected to the LoginRadius Auth Studio for authentication.

5. User Authenticates with IdP

  • The user provides their credentials and is successfully authenticated by LoginRadius.

6. IdP Sends SAML Response

  • The LoginRadius(IdP) signs the SAML response with its private key and sends it to the Service Provider’s Assertion Consumer Service (ACS) URL.

7. Service Provider Validates Response

  • The Service Provider validates the SAML response using the public certificate provided by the IdP.

8. User Accesses Protected Resources

  • If the response is valid, the user is logged in and gains access to the protected resources on the Service Provider’s platform.

Testing and Validating SP-Initiated SAML SSO

Follow these steps once the SP-Initiated SAML SSO configuration is complete to ensure a secure and seamless authentication experience.

1. Verify the SAML SSO Flow

  • Check SP Redirection – Ensure that clicking the login link on the SP correctly redirects users to the LoginRadius Identity Provider (IdP) for authentication.
  • Validate SAML Request – Confirm that the SP sends a properly signed SAML authentication request to LoginRadius.
  • Authenticate and Process Response – Log in using valid user credentials and verify that LoginRadius successfully authenticates the user.
  • Verify SP Handling of SAML Assertion – Ensure that the SP correctly reads and processes the SAML assertion, granting access without errors.

2. Test Single Logout (SLO)

  • Configure Logout URL – Ensure the SP Logout URL is properly set in the LoginRadius Admin Console.
  • SP-Initiated Logout – Log out of the SP and confirm that the user session has been terminated at LoginRadius.
  • Check Session Expiry Handling – Test automatic session timeouts and expiration behavior to ensure users are securely logged out after inactivity.

These validation steps ensure the proper and secure implementation of SP-Initiated SAML SSO integration.

Check out the Security Best Practices for a detailed breakdown of essential security measures.

Identity Provider Initiated SSO

Learn how Identity Provider Initiated SSO works with LoginRadius. Enable seamless user authentication directly from your identity provider to your app.

Configuration Option and Best Practices

Explore SAML configuration options and best practices with LoginRadius. Enhance secure SSO setup, streamline access, and ensure seamless user experiences.

On this page

SP Initiated SSOKey Features of SP-Initiated SAML SSOConfigurationsSP-Initiated SAML WorkflowTesting and Validating SP-Initiated SAML SSO1. Verify the SAML SSO Flow2. Test Single Logout (SLO)Related Resources