# Identity Providers This section covers the IdP-side configuration: creating the SAML application, setting the URLs sfp expects, mapping user attributes, and copying out the metadata URL you'll hand to sfp. The steps are the same regardless of whether you're running self-hosted or cloud — only the URLs you paste into the IdP differ. *** ## Pick your IdP | Provider | Page | | ----------------------------- | ------------------------------------------------------------------------------------------- | | Microsoft Entra ID (Azure AD) | [Entra ID](/flxbl/sfp-server/setting-up/saml-authentication/identity-providers/entra-id.md) | | Okta | [Okta](/flxbl/sfp-server/setting-up/saml-authentication/identity-providers/okta.md) | Other SAML 2.0 providers (Google Workspace, OneLogin, PingIdentity, etc.) follow the same shape — set the Entity ID and ACS URL, map the email and name attributes, copy the metadata URL. The Entra and Okta walkthroughs are good templates. *** ## URL convention Every SAML setup needs two URLs from sfp: the **Entity ID** (what the IdP calls "Identifier" or "Audience") and the **ACS URL** (what the IdP calls "Reply URL" or "Single sign-on URL"). Use the URL that matches your deployment mode: | Mode | Entity ID | ACS URL | | ----------- | ------------------------------------------------- | -------------------------------------------- | | Self-hosted | `https:///auth/v1/sso/saml/metadata` | `https:///auth/v1/sso/saml/acs` | | Cloud | `https://auth.flxbl.io/auth/v1/sso/saml/metadata` | `https://auth.flxbl.io/auth/v1/sso/saml/acs` | For self-hosted, replace `` with the public domain of your sfp server. For cloud, both URLs always point at `auth.flxbl.io` — the global auth instance — regardless of your tenant domain. The `/auth/v1/sso/saml/...` path is fixed and required; don't shorten or rewrite it. *** ## What you'll copy out At the end of IdP configuration you need exactly one thing to hand to sfp: the **federation metadata URL**. It looks like: ``` https://login.microsoftonline.com//federationmetadata/2007-06/federationmetadata.xml?appid= ``` or for Okta: ``` https://.okta.com/app//sso/saml/metadata ``` sfp downloads and parses this URL when you register the provider — you don't paste any certificates or XML manually. *** ## Attribute mapping sfp expects the IdP to send these attributes in the SAML assertion: | Attribute | Used for | | -------------- | --------------------------------------------------- | | Email (NameID) | Primary identifier; must match the user's sfp email | | First name | User profile | | Last name | User profile | | Display name | UI display | Each IdP page shows the exact claim names to use. *** ## Next step Once your IdP is configured and you have the metadata URL, head to: * [Self-Hosted Setup](/flxbl/sfp-server/setting-up/saml-authentication/self-hosted-setup.md), or * [Cloud Setup](/flxbl/sfp-server/setting-up/saml-authentication/cloud-setup.md) to register the IdP with sfp and provision users. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flxbl.io/flxbl/sfp-server/setting-up/saml-authentication/identity-providers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.