> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML Adapter Setup Guide

> This guide provides detailed instructions on configuring the TruU SAML Adapter. This adapter allows an SSO provider to delegate authentication to TruU via SAML, enabling passwordless authentication for federated applications.

### Required SP Configuration

**Step 1:** Obtain the following properties from the service provider to create a new SAML adapter:

* ACS URL (Also known as Assertion Consumer Service URL)
* Entity ID (Referred to as ‘Partner's Entity ID’ in Admin Console. Some service providers also use the term "Issuer"

### Generated IDP Configuration

**Step 2:** Create a SAML Adapter in the admin console. After creation, download the "SAML IDP configuration". This configuration is necessary for the service provider as it needs to know where to send SAML requests and how to verify signed responses from IDP. The generated configuration will contain the following properties:

* Entity ID: The Entity ID / Issuer of the server aka IDP
* SSO Login URL: The URL the service provider must send SAML requests to
* X.509 Signing Certificate: IDP signing certificate in PEM format

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/227ce375-94a4-42fd-a7e1-e794bee05125" alt="" />

### Configuring SAML Adapter for Google as a Service Provider

**Step 1:** Log in to the Admin Console, navigate to the "Integrations" tab, then the "Adapters" tab, and click on the **(+)** icon in the top right corner to add a new adapter. Select **Single Sign** on in the first box and **SAML** in the adapter type box

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/4620d7a9-5354-47bc-98da-65de7571c365" alt="" />

**Step 2:** Notice the "Select User Directory Attribute" value. In case of Google, it must always refer to a directory attribute containing the *email address.* Other service providers might expect a different value like user principal name.

Google allows to register a 3rd party SAML IDP in two ways. Either as a global IDP all users of the organization are going to be authenticated with by default or an organizational unit specific IDP. In that case, only the users of the specific OU are going to be authenticated using the SAML IDP. Based on the selected method, Entity ID and ACS URL will differ.

### SAML IDP for the Entire Organization

**Step 1:** Create a default SSO profile that spans the entire organization in Google SAML IDP configuration page. The values for Entity ID and ACS URL needed in the SAML adapter configuration dialog will always follow this pattern:

* Entity ID: google.com/a/\<you\_organization\_domain> (only if you check "Use a domain specific issuer" while adding a default SSO profile in Google). Otherwise, it is google.com
* ACS URL: [https://www.google.com/a/\<you\_organization\_domain](https://www.google.com/a/%3Cyou_organization_domain)/acs

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/854440d1-fc8b-4f5d-8fa5-3edcaa71d045" alt="" />

### SAML IDP for a Specific Organizational Unit

**Step 1:** Create a SAML adapter draft with a value like TBD in Entity ID and ACS URL

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/ddc6e3d3-7ea1-488c-8b85-f1959ff5f32d" alt="" />

**Step 2:** Go to the Google IDP configuration page and create a third party SSO profile

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/54424d54-4582-4dc2-b7c9-817ed8245f5d" alt="" />

**Step 3:** Use the IDP’s Entity ID, SSO login url and the certificate generated by the SAML adapter to create the new SSO profile. Save the generated certificate into a file like saml-idp-cert.pem to upload it to the SSO profile

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/c45874c1-79cd-4af5-9b1d-6e9960648ca2" alt="" />

**Step 4:** After saving the profile, Google will generate Entity ID and ACS URL. Use these to update the existing Truu SAML adapter (replace the TBDs)

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/52bfc5ce-a7a8-4d0b-9ec1-25183a439ad5" alt="" />

### Configuring a SAML Adapter for Okta as a Service Provider

**Step 1:** Create a new SAML adapter in Admin Console (using TBD values for Entity ID and ACS URL) and save the generated adapter configuration

**Step 2:** Sign in with an administrator account to Okta. Navigate to Security → Identity Providers and add a new SAML 2.0 IdP

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/93ecd4e6-7513-4972-a210-2d38d4d2d396" alt="" />

**Step 3:** Use the generated values from the adapter to configure the IDP page. Save the generated IDP certificate into a file like saml-idp-cert.pem as Okta allows to only upload the certificate as a file

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/a8233de8-13ad-4671-ac0b-b06e856ef5ef" alt="" />

**Step 4:** Save the IDP configuration and open details of the configured IDP. There are two fields that map to the properties required by SAML adapter:

* Audience URI – Partner’s Entity ID in the SAML adapter
* Assertion Consumer Service URL

<img src="https://mintlify.s3.us-west-1.amazonaws.com/truu-2/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/e8da5b47-105f-40df-925a-4a2984e40a59/c4fc8e41-6806-496e-87c3-e82beb506406/images/9c239df3-717b-4e8a-ba6d-b9c74c98e266" alt="" />

**Step 5:** Return to the Truu SAML adapter configuration and replace the TBD values with the correct values

### Configuring a SAML Adapter for Other Service Providers

The configuration process for each service provider may vary, but it generally follows the same steps as described above for Google and Okta. Obtain Entity ID and ACS URL from SP, input these into a new SAML adapter configuration, and use the generated configuration from SAML adapter to setup the service provider.

Note: If multiple service providers (Google, Okta, etc.) are being used, create a standalone SAML adapter for each service provider

***

[PingFederate SAML Setup Guide](/docs/pingfederate-saml-setup-guide)

[TruU IdP for NetSkope](/docs/configure-truu-idp-for-netskope-saml-forward-proxy-1)