User guide
Requests
Community
Support
How can we help you?
In this article
Setting up a SAML providerStep 1: Provider typeStep 2: NameStep 3: ServiceStep 4: IdentityStep 5: MappingEditing a SAML configurationConfiguration tabGroup mapping tab
Home
Browse knowledge base
Portal management
Portal settings
Managing security

Single sign-on with SAML 2.0

Edited

The SSO feature is enabled on Advanced and Ultimate plans, and is otherwise available as an add-on.

Huwise allows access to your workspace to be managed through a single sign-on (SSO) authentication solution, and currently supports the SAML 2.0 and OpenID Connect protocols.

For information on how to map your SSO groups to your Huwise groups, see here.

Setting up a SAML provider

In the back office, under Access > SSO, click on Add a provider in the upper right-hand corner, then click on the SAML button.

Make sure your provider's page is open during this configuration, as you'll need to both retrieve information from it and add information to it.

You have five steps to complete, clicking Next as you complete each step:

Step 1: Provider type

Choose SAML in this case.

Step 2: Name

Enter in the name you wish to use for this provider configuration. This is the name you'll see in your list of providers.

Step 3: Service

You need to copy the information from here — SAML Assertion URL, Audience URI, Single Logout Service URL — and past it into your identity provider's configuration interface.

If your provider supports metadata-based configuration, you can download Huwise's SSO metadata file here.

Step 4: Identity

Here you can drag-and-drop or browse your computer for your identity provider's XML file.

Step 5: Mapping

Here, define the attributes your identity provider uses to define your users: the unique identifier, first name, last name, and email.

Enter the attributes sent by the identity provider that uniquely define a user in the corresponding fields. For instance, if users are defined by the FirstName and LastName attributes, enter FirstName and click +, then enter LastName and click +. If users are defined by NameID and the NameID format is not transient, leave the field empty. Map the username, last name, first name, and email address in the respective fields, using the names as sent by the identity provider. For example, if the first name is transmitted as GivenName, enter GivenName in the "First name" field. If any elements are not transmitted, leave those fields blank; the platform will generate them based on other available attributes.

Note that for the unique identifier — typically NameID — you can enter in other values, or indeed add multiple values as needed.

Once you've clicked Create provider in step 5, you can find your new configuration in your list.

You are then redirected to the identity provider edit page, where you can complete the configuration by adjusting advanced settings, configuring group mappings if required, and activating the provider. (see below)

Editing a SAML configuration

When editing a configuration, you have access to a Configuration tab and a Group mapping tab.

Configuration tab

The Configuration tab gives you access to all of the information provided when the configuration was first set up, such as the name you gave the configuration and information you used to configure your identity provider, or the XML file you used from your IdP for the configuration.

Other settings of note:

Advanced settings — Under "Advanced settings," you will find options to manage your configuration's scope and attributes, such as the first and last name (information filled in step 5).

The "Monitoring ID attribute" is the attribute whose value will appear in monitoring logs for easier identification of the SSO users.

Security & behavior — Under "Security & behavior," you have four toggles, all turned off by default:

  • Disable automatic local provisioning : If you want to disable local user creation, making sure only existing users can connect to the platform through SAML, toggle "Disable local user provisioning."

  • Allow the SAML identity provider to create a new identifier: By default, only users with an email_verified claim set to true in their ID token will be allowed to log in.

  • Optional custom EntityID for the SAML service provider: This setting allows you to override the default EntityID of this application. Only change this if your identity provider requires a specific, custom value.

  • Optional NameID format to be sent in authentication requests: This setting allows you to specify the NameID format that your application will request from the identity provider. Leave the default value unless you have a specific requirement.

Conditional access — Under "Conditional access," you can restrict access based on an attribute sent by the identity provider. You can require the attribute to be present, or require it to have a specific value.

For example, if your identity provider sends a list of Roles for the users and you want only users with a role to be able to connect to the workspace, enter Roles in the "Attribute to match for the condition" field. If you only want users with the DataAccess role to be able to connect to the workspace, enter DataAccess in the "Value that must be present" field.

If you leave both fields blank, no condition is set. Any successful login on the identity provider side will trigger a login on your Huwise workspace.

Log in & profile — Under "Log in & profile," if a URL is provided, users who log in via SAML will see a link on their profile page to manage their account directly at the identity provider. Language-specific labels can be provided for this link for your portal's languages.

Group mapping tab

For information on how to map your SSO groups to your Huwise groups, see here.

HuwiseCommunity© Huwise 2025