Skip to content
Axowl

SAML SSO

When an enterprise customer brings their own SAML IdP (ADFS, Okta, Entra), Axowl acts as the Service Provider so their users sign into an Axowl-backed app with their corporate identity.

Flow

Section titled “Flow”
  1. Configure the IdP connection — register the enterprise IdP’s EntityID, SSO URL, and signing certificate (via metadata URL or manual entry), plus attribute mapping (SamlConfiguration).
  2. InitiateGET /api/public/orgs/{slug}/auth/saml/login emits a SAML AuthnRequest and redirects (302) to the IdP.
  3. ACS — the IdP POSTs a signed SAMLResponse to /api/public/orgs/{slug}/auth/saml/acs. Axowl verifies the signature, conditions, and audience (Saml2Response.GetClaims), maps attributes → NameID, and JIT-provisions a ConnectedId, then issues the session.

Endpoint detail and the IdP (outbound) direction: SAML reference.