SAML Authentication
SAML authentication provides an additional layer of security for data on a DXA account.
Note: New users added with SAML authentication will not receive the first-time login email and must be manually given a link to their DXA instance. For more information, contact your DXA expert.
Enabling SAML authentication on a DXA account
On the navigation bar, go to
settings > Account Settings > Security and click SAML.
In the SAML area, select SAML Integration Enabled.
Provide the following details:
IdP Entity ID — Usually the main URL identifying the identity provider.
SSO URL — Single sign-on service URL
SLO URL — Single logout service URL
IdP x509 Cert — Identity provider certificate
Scroll down to Login URL to make a note of the login URL for signing in to the DXA portal with SAML authentication.
Click Save.
SAML authentication is now enabled on the account.
Adding SAML authentication to DXA users
Add a role with a group name matching the relevant group name in the SAML account.
When adding or editing a user, in the Authentication Provider dropdown menu, select SAML.
Click Save User.
Enabling Just-in-Time (JIT) provisioning
Select the box to enable Just-In-Time (JIT) Provisioning.
- Alter the below sample SAML file that your IDP server needs to pass to DXA to support JIT provisioning and enable on-the-fly user creation. Details of the attributes are as follow:
- First Name — User’s first name required for creating a new user
Last Name — User’s last name required for creating a new user
Email — User’s email address
Permissions — Possible values: dxa_super_admin, dxa_admin, dxa_analyst
Properties — List of DXA Property IDs, for example: 3868,25541
Roles — Name of the role that already exists in the DXA Portal
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="https://dev-kappa.api.decibelinsight.net/v4.0/account/authentication/saml-acs/#accountNumber#" ID="id1837182277705038802747018973" IssueInstant="2026-05-11T08:52:11.834Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk10z0ze804fdMns698</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id1837182277705038802747018973">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>########</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>#######</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>#x509Certificate#</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="id-74251155079944275791854089662" IssueInstant="2026-05-11T08:52:11.834Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk10z0ze804fdMns698</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-74251155079944275791854089662">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>#######</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>########</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>#x509Certificate#</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">#emailAddress#</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2026-05-11T08:57:11.835Z" Recipient="https://dev-kappa.api.decibelinsight.net/v4.0/account/authentication/saml-acs/da-13824"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2026-05-11T08:47:11.835Z" NotOnOrAfter="2026-05-11T08:57:11.835Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>https://dev-kappa-app.decibelinsight.net/SSO/da-13824</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2026-05-11T08:52:01.541Z" SessionIndex="id1778489531719.47019104" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="First Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">#FirstName#</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Last Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">#LasttName#</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">#EmailAddress#</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Permissions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">#dxa_super_admin/dxa_admin/dxa_analyst#</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Properties" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">#dxa_propertyId#</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">#dxa_propertyId#</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">#dxa_propertyId#</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">#dxa_role#</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
