User Guide: Setting Up SAML 2.0

1. Create a SAML App

Contact us first. We need to configure a few things on our end first. We will provide you with an identifier connection_id that you will use for your connection setup.

You will need the following info:



  • Note: replace connection_id with the value that we will provide to you. Ex. SafeBase's SSO URL looks like https://auth.safebase.io/login/callback?connection=safebase-saml

Audience URI (SP Entity ID):


  • So for the example above, the Audience URI would be urn:auth0:safebase:safebase-saml

If your IdP supports direct metadata import, use this URL:


  • For the example above, the direct metadata import URL would be https://auth.safebase.io/samlp/metadata?connection=safebase-saml

Set Up Attribute Mapping

Let us know what your Identity Provider is. We'll need to figure out attribute mapping. If you're using an IdP like Okta, it can be straightforward because we know the mapping already. Let us know if you'd like IdP-initiated SSO to be enabled.

Please map the following attributes:

  • First name → firstName
  • Last name → lastName
  • Email → email
  • Identifier/Login → id

Okta specific instructions

In Okta, your configuration should look like this (with the {connection_id} replaced with the value we provided):


OneLogin specific instructions

ACS (Consumer) URL: The SSO URL specified above.

Relay State: https://app.safebase.io/api/auth/login?returnTo=%2Fdashboard

Audience: The Audience URI specific above.

Recipient: The SSO URL specified above.

ACS (Consumer) URL Validator: ^https:\/\/app\.safebase\.io

Login URL: https://app.safebase.io

Be sure to add custom attributes:

OneLogin field → Field that SafeBase is expecting

  • Email → email
  • First Name → firstName
  • Last Name → lastName
  • Username → id

Google SAML specific instructions

ACS URL: The SSO URL specified above.

Entity ID: The Audience URI specified above.

Start URL: Leave this blank.

Attribute Mapping (Should all be in Basic Information):

  • Note: From our experience Google SAML can be buggy at times. You may encounter errors such as “403: Not a SaaS application” or “Could not save SafeBase as an app.” We’ve found that waiting a few hours usually auto resolves these issues without any action on your end.

2. Provide Us With Your SAML Metadata

Send us a copy of your SAML metadata to we can complete the SAML setup on our end.

  • Note that if you use Azure AD the certificate may not be in the metadata, so please continue below. If this is the case, please continue below.

You can find it by clicking on "View Setup Instructions" if you are using Okta.


If you are unable to export the metadata from your idP, please provide the following:

  • idP SSO URL
  • X.509 Certificate