To access SAML settings, go to Settings -> Parameters -> SAML. SAML settings contains next sections: IdP metadata, IdP configuration (HES) and Service provider settings (third-party web applications).

Also here you can get a script for creating a self-signed certificate. Just click the needed option.

The IdP metadata allows you to: · View metadata · Download metadata · Download the public key certificate

Metadata is an XML file that contains all the necessary information about the IdP settings and the public key certificate. Service providers usually allow you to import IdP metadata when configuring SAML, which simplifies the configuration. You can also download a separate certificate, if necessary, or view all metadata on the screen. The Service Providers section contains information about all providers with which the integration is performed. The number of service providers is not limited. To configure a new service provider, click the 'Add Service Provider' button and fill in the fields with settings. You must get the values ​​of these settings from the service provider application. The service provider usually allows downloading a metadata file with the necessary settings and a public key certificate. It can be imported into HES so that the settings would be filled in automatically.

Issuer - a random unique SP name you need to copy from the SP settings or extract from the metadata file.

Assertion Consumer Service - the login address on the side of the service provider. Redirection is done to this address following the successful login through the IdP service. Single Logout Service - the address to log out of the account. If you exit IdP, this URL is opened in the loop for all SPs. Public x509 Certificate - the public key certificate of the service provider. NameID Format - The format for the field that identifies the user. NameID Value - the choice of the field where you can take the user identifier. Since the IdP and the SP can use different identifiers for users, a mechanism for matching these identifiers is needed to establish a one-to-one correspondence between users in both services. The user identifier (login) in HES is his email, although it can be something else in other systems (e.g. a combination of the user's first and last name). If your service provider accepts email as a user ID, you need to set:

• NameID Format - Email

• NameID Value - Email

Also you can edit this parameters or delete service provider. Just click the needed service provider and click the 'Edit' or 'Delete' button correspondingly.

If the service provider cannot accept email as a user ID, you need to set the format that your service provider accepts in the 'NameID Format' field, and the value 'External ID' in the 'NameID Value'. Then you need to fill in the 'External ID' field for each employee. To do this, click Employees -> Select an employee -> Edit -> Single Sign-On sections -> Settings -> Edit the External ID.

After filling in and saving all the settings, you can check the integration by logging into the service provider. You should be redirected to the HES authentication page where you will need to enter your username (email) and pass the security key verification.