Setting Up SAML Single Sign-On
Setting Up SAML Single Sign-On
SAML (Security Assertion Markup Language) allows your users to log in to XMAP using your organisation’s Identity Provider (IdP), such as Microsoft Entra ID, Okta, OneLogin, or any SAML 2.0 compatible service. This removes the need for separate XMAP credentials and lets you manage access centrally.
Prerequisites
Before you begin, ensure you have:
1. Admin access to XMAP — You must be an Organisation Administrator.
2. Admin access to your Identity Provider — You’ll need to create a SAML application in your IdP.
Step 1: Create a SAML Strategy
1. In XMAP, navigate to Admin > My Organisation > Authentication.
2. Click the + button and select SAML from the dropdown.
3. A new strategy will be created with default values.
Step 2: Configure the Strategy
Give your strategy a meaningful Name (e.g. “Okta SSO” or “Company SAML”).
Using a Metadata URL (Recommended)
If your Identity Provider supplies a metadata URL:
1. Paste the URL into the IdP Metadata URL field.
2. Click Fetch.
3. The Entry Point, Issuer, Certificate, and Name ID Format fields will be populated automatically.
Manual Configuration
If you don’t have a metadata URL, enter the following details from your IdP manually:
Field | Description |
Entry Point | The SSO login URL provided by your IdP (sometimes called the SAML 2.0 Endpoint or Login URL). Issuer The Entity ID or Issuer URL of your IdP. |
Certificate | X.509 signing certificate from your IdP. Paste the certificate content only — without the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers, and without line breaks. |
Name ID Format | The format of the user identifier sent by your IdP. Common values include emailAddress (most common) or unspecified. |
Step 3: Configure Your Identity Provider
In your IdP’s SAML application settings, you’ll need to provide the following values from your XMAP strategy configuration:
ACS / Callback URL
If you use a custom subdomain on XMAP, use that instead, e.g. https://my-org.xmap.cloud/xnode/login/saml/return
Entity ID / Audience
Use a unique value, or that which is required by your IdP.
Microsoft Entra ID metadata files use a default Issuer value (typically https://sts.windows.net/{tenant-id}/) which should not be used. Ensure the Issuer value in XMAP matches the Entity ID set under Basic SAML Configuration in Entra.Step 4: Additional Settings
| Setting | Description |
Redirect To | The URL to redirect users to. Typically https://xmap.cloud or your custom domain (https://my-org.xmap.cloud) |
Default Profile | The profile new users are assigned to. |
Step 5: Test and Save
1. Click Save to store your configuration.
2. Click Test to open a new window and attempt a SAML login.
3. If the test succeeds, the window will confirm a successful authentication.
4. Share the Login URL from the strategy configuration with your users.
Troubleshooting
Login loops or errors
Double-check that the Entry Point URL and Certificate are correct. Ensure the Callback URL configured in your IdP matches the one shown in XMAP exactly, including the protocol (https://) and any trailing paths.
User not recognised
Verify that the Name ID Format matches what your IdP sends, and that the user’s email address exists in XMAP. The Name ID value sent by the IdP must match an existing XMAP user’s email.
Certificate errors
Make sure the certificate is pasted without the -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- headers and without line breaks. It should be a single continuous string of characters.
Test window closes immediately or shows a blank page
Check your browser’s pop-up blocker settings. The test opens a new window which may be blocked by default.
Attributes not mapping correctly
Ensure your IdP is sending the user’s email address as the Name ID claim. Some IdPs default to sending an opaque user ID instead.
Related Articles
Setting Up Azure Active Directory
Azure Active Directory (AD) Login XMAP can integrate with Azure AD to allow your users to authenticate through your organisation's Microsoft Azure tenant. This means they do not need to remember a username/password and their access can be managed ...XMAP Updates
XMAP version 2.20.1 (February 2026) Map - CSV uploader Map - Multi Query Filtering Map - Cookie cutter Map - Slide/extend/enlarge the side panel Admin - SAML Single Sign-On XMAP version 2.20.1 (January 2026) Map - Highlight Features Map - Create ...Setting Up Constraints Checker
In the Admin Panel navigate to Tools >> Constraints Checker In the Constraints Checker Configuration section click on the + to create a new constraints checker. In the New Template window set the Title for the constraints checker. tip Give this a ...Multi-Query Filtering
Overview It's possible to filter Map Layers in a number of ways Filter by Values To filter a Map Layer based on values In the Layer Control, find the layer you want to filter and switch it on Hover over the Tick icon next to the Layer name. This ...Restrict Access via Entra/Global Secure Access
Conditional Access for XMAP Using Entra and Global Secure Access (GSA) you can apply access policies to XMAP which can evolve over time with your own security requirements. For example, you can restrict authentication to XMAP to only occur within ...