Configuring SAML SSO with OPSCOM
What is Single Sign-On (SSO)
Single Sign-On (SSO) simplifies user access to OPSCOM by allowing them to authenticate using their existing, managed corporate accounts. This eliminates the need for separate OPSCOM usernames and passwords, enhancing convenience and security. This article details the setup and configuration of SAML-based SSO with OPSCOM, explaining the necessary fields, metadata exchange, and user synchronization. For more general information about SSO and OPSCOM refer to this wiki article.
Prerequisites and Considerations
Implementing SSO with OPSCOM, specifically using SAML (Security Assertion Markup Language), requires coordination between your organization's Identity Provider (IdP) and OPSCOM as the Service Provider (SP).
Your OPSCOM Client Success team will be happy to discuss these options to ensure a smooth and successful setup.
Once the prerequisites are addressed, the SAML setup involves configuring fields for both OPSCOM (as the Service Provider) and your external SAML system (as the Identity Provider).
Configuring SAML Setup
- Hover over System Configuration, Users, and click Login Sources.
- Click the pencil icon to edit your login source you created already as mentioned above. You should already have configured the login source to the point of the Unique ID field.
The settings below must be filled out correctly and saved before you will see the Metadata tab to continue.
When OPSCOM generates your SP metadata, it is available as a live URL — not just a downloadable file. The metadata URL follows this pattern:
https://[your-domain]/auth/saml2/[ENTITY_ID]/metadataWe strongly recommend providing your Identity Provider with this URL rather than a downloaded XML file. When an IdP is configured to pull from a live URL, it will automatically fetch fresh metadata and the integration stays current.
If you upload a static XML file to your IdP instead, be aware that the metadata contains a validUntil timestamp (calculated from the cacheDuration of 7 days from the time it was fetched). An IdP that strictly enforces this value may reject the metadata after that window. In practice, most enterprise IdPs — including Azure AD — do not enforce validUntil on uploaded SP metadata, but it is still better practice to use the live URL wherever possible.
Azure AD note: When configuring the Enterprise Application in Azure, look for the option to enter a Federation Metadata URL rather than uploading a file. This is found in the Basic SAML Configuration section.
Service Provider Fields (Configured in OPSCOM)
These fields define how OPSCOM will interact with your Identity Provider.
Identity Provider Fields (Configured in OPSCOM, Values from Your SAML System):
These fields capture information from your external SAML system (Identity Provider). You will find these values within your SAML system's metadata (e.g., often displayed under Federation → Show Metadata on your SAML installation page).
⚠️ Important — Certificate Mismatch: The IdP x509 Certificate field must contain the certificate issued by your Identity Provider — for example, the certificate embedded in Azure's Federation Metadata XML. Do not copy the SP certificate into this field. Entering the wrong certificate here will cause SAML assertion validation to fail silently, and users will be unable to log in. If in doubt, download your IdP's Federation Metadata XML and extract the certificate from within it.
Once these settings have been completed and saved in OPSCOM, you will gain access to additional tabs: MetaData, Synchronization, and Translations.
Additional Settings Reference
When you open your Login Source configuration, you will see several additional fields below the core SP and IdP sections. The defaults are appropriate for most integrations, but the following are worth understanding:
| Setting | Default | What It Does |
|---|---|---|
| Requested Auth Context | false |
When set to false, OPSCOM does not specify an authentication method in its request to the IdP — the IdP decides. Set to true to require password-based authentication (PasswordProtectedTransport). Leave as false for most Azure AD integrations. |
| Require Name ID Policy | Enabled | Includes a NameIDPolicy element in the SAML request, specifying the Name ID Format. Disable this if your IdP is Microsoft ADFS — ADFS frequently rejects the NameIDPolicy element and returns an InvalidNameIDPolicy error. Azure AD (Entra ID) handles it correctly and this should remain enabled. |
| Require Encrypted Assertions | Disabled | Requires the IdP to encrypt SAML assertions. Only enable if your IdP supports it and your SP certificate and private key are configured. Not required for standard Azure AD integrations. |
| Sign Logout Requests / Responses | Disabled | Requires the SP certificate and private key to be configured. Not required for standard Azure AD integrations. |
Using this Feature
Metadata Tab
The Metadata tab in OPSCOM provides the XML code that you will need to provide to your Service Provider (OPSCOM, in the context of SAML communication from your IdP's perspective). This XML contains all the necessary information for your Identity Provider to communicate correctly with OPSCOM.
Sample XML File
Sample XML File Explanation: When your external system (e.g., a SimpleSAMLPhp service set up as the identity provider) sends a response back to OPSCOM, it includes an saml:AttributeStatement tag containing several attributes. These attributes are required for OPSCOM to match to a user within its system. The most important field in this attribute section is the value used as the permanently unique identifier for a user. For example, if the XML response shows [uid] => Array ( [0] => 6ddf4027-3397-4e45-8628-0189f60fe91e ), then uid should be entered as the Unique ID Field in your Identity Provider Fields configuration within OPSCOM. If the unique ID is something else, such as SAMaccountName, then that should be used instead.
<?xml version="1.0"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_aa1963115aa6490e728c7376f4c8849813bbb..."> ... <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_9efd79bf6425983ee9176f3d33a99d1a9176180..."> ... <saml:Subject> <saml:NameID SPNameQualifier="MinionOpsComStaff" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_7a426e0be71f14c1f349db00d7d543b6f7dcb52baa</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2021-08-24T16:00:41Z" Recipient="https://minion-3.dev.parkadmin.com/auth/saml2/MinionOpsComStaff/acs" InResponseTo="ONELOGIN_bb8a09203c888cf59af4c621a71cfa8f7559c016"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2021-08-24T15:55:11Z" NotOnOrAfter="2021-08-24T16:00:41Z"> <saml:AudienceRestriction> <saml:Audience>MinionOpsComStaff</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2021-08-24T15:34:46Z" SessionNotOnOrAfter="2021-08-24T23:34:46Z" SessionIndex="_a7a68666092117d24aab8adecf1b0830622855b85..."> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">6ddf4027-3397-4e45-8628-0189f60fe91e</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="full name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Sarah Knowles</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">sknowles@tomahawk.ca</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> |
⚠️ Do not rename your Login Source after users have been associated to it. The Login Source value is stored against every user record created via SSO. If you change it, those users will no longer be matched to this login source on their next login attempt, effectively locking them out. If a rename is ever necessary, contact OPSCOM Support to arrange a coordinated update of all affected user records.
Synchronization Tab
The Synchronization tab allows you to configure how user information is managed between your SSO system and OPSCOM.
After you have provided the information in each field, click Save Changes.
Your users will then begin to be created or updated automatically upon their SSO login attempts. If any of the supplied fields are incorrect or don't match, the corresponding information will be blank in OPSCOM when the user logs in, or it will remain unchanged if the user already existed.
What to enter in the field mapping boxes: Each field mapping box accepts the attribute name exactly as your Identity Provider sends it in the SAML assertion. These names vary between IdP systems. The sample values shown (such as
full name,uid) are from a SimpleSAMLphp test installation and will be different for other identity providers.
For Azure AD (Microsoft Entra ID), the attribute names depend on how the claims were configured in the Enterprise Application. Azure uses two formats:
- Short-name format (if you created custom claims): e.g.,
first_name,last_name,emailaddress- Full URI format (Azure defaults): e.g.,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameTo confirm exactly what your Azure AD tenant is sending, use the Test button on the Single sign-on page of your Azure Enterprise Application. The test result displays every claim name and value as it will arrive at OPSCOM.
⚠️ Azure AD does not send a combined "full name" attribute by default. If you map the First Name field to a full name or displayName attribute, the user's entire display name (e.g., "Sarah Knowles") will be stuffed into the first name field. Map First Name and Last Name to separate attributes (givenname / surname, or first_name / last_name if configured as custom claims in Azure).
The exact sample values from our test system may differ from your actual SAML system attributes.
Translations Tab
The Translations tab allows you to customize the text displayed on your login button from the user side. You can create as many different translations as are available in your system (e.g., English and French). This ensures that the SSO login experience is localized for your users.
Error Handling: CommonPproblems and Their Causes
- User cannot log in / "user not found" — The Unique ID Field in OPSCOM does not match the attribute name being sent by the IdP, or the user has not been assigned to the application in the IdP.
- Assertion validation failure — The IdP x509 Certificate field contains the wrong certificate (often the SP cert copied in by mistake).
InvalidNameIDPolicy error — Disable the "Require Name ID Policy" toggle (common with ADFS IdPs). - Incorrect user data on auto-created accounts — A field mapping value doesn't match the attribute name the IdP is actually sending. Use your IdP's test/debug tool to see the exact claim names in the assertion.
- Login source mismatch — The Login Source value was changed after users were created. Contact OPSCOM Support.
- OPSCOM's SSO debug log (when enabled) will display the full incoming user array, which makes attribute name mismatches straightforward to identify.