Page tree
Skip to end of metadata
Go to start of metadata


To exchange SAML metadata with Apperian, export a SAML metadata file from your authentication server and send it to Apperian. A SAML metadata file provides configuration data that tells an Identity Provider and Service Provider how to establish a connection and communicate with each other. Your metadata file must provide authentication attributes and user attributes.

Based on your metadata, Apperian will create an IdP connection in PingFederate and then export and send you a SAML metadata file. Import Apperian's SAML metadata file into your authentication server to create an SP connection.

On This Page

Authentication Attributes

Your metadata file must provide these authentication attributes:

  • Entity ID: Also referred to as the "issuer," this is the unique ID included in all SAML messages sent from your authentication server.
  • Certificate: An authentication certificate saved in .pem format.
  • Redirect URL: The URL of your organization's web-based authentication page.

User Attributes

The metadata file should also identify the user attributes that will be included in SAML assertions sent from your authentication server. When a user is authenticated, Apperian uses attributes in the assertion to locate the user in the Apperian database and log the user in to the App Catalog. If the user is not already listed in the database, a new user account is created for the user (this is called "auto-provisioning").

Required Attributes

Your SAML assertions must include the following user attributes:

  • First Name
  • Last Name
  • Email Address and/or User

During auto-provisioning, the User attribute sets the value for "User ID," which is a unique identifier for the user in the Apperian database. If you do not provide the User attribute, Apperian uses Email Address for both the "Email Address" and "User ID" parameters in the database. The User attribute must be 200 characters or less, and cannot include spaces. Valid characters include: 

  • a-z
  • A-Z
  • 0-9
  • /~!$%^&*_=+.@,

Both "Email Address" and "User ID" must be unique within your organization. If you provide a value for Email Address or User that is not unique, the SSO login will fail.

Optional Attribute (Groups)

If your IdP supports the exchange of group information, a SAML assertion can include a Groups attribute to specify user groups to which the user will be added. For more information, see Group Assignment During SSO.
  • No labels