Skip to content
Sign up
Documentation (6)

Product

Company

Legal

Setup

Up and running in five steps.

Roughly thirty minutes from a fresh signup to a verified JWT delivered into your application. Each step below maps to one screen in the dashboard.

1. Claim a workspace

Create an account at app.simplesaml.com and name your first workspace. The workspace is the unit of isolation: every connection, destination, and teammate belongs to one. New workspaces start on the Basic plan, which allows five connections at no cost.

2. Add a destination

A destination is the URL where Simple SAML delivers the JWT after a successful sign-in. From the sidebar, open Destinations → New destination . Give it a name your team will recognize and paste your application's callback URL. The URL must be HTTPS.

The destination's token becomes the aud claim on every JWT delivered there. Hold onto it. You'll verify against it in step five.

3. Connect an identity provider

From the sidebar, open Sources → New source and name the connection. The fastest path to a working configuration is metadata import: paste the IdP's metadata URL and click Import . Simple SAML fetches the document, extracts the entity ID, sign-in URL, and signing certificate, and saves them.

For IdPs that can't expose a public metadata URL, download the XML and upload it instead, or fill the three fields manually under Connection .

Pick a destination from the dropdown and click Save & connect . The routing checklist at the top of the source page confirms it's live.

4. Route a sign-in

Send users to the SP-initiated sign-in URL the dashboard generates for the source: 

https://sso.simplesaml.com/sources/<token>/saml/sso

The user authenticates on their identity provider's screen. After authentication, Simple SAML auto-POSTs an HTML form to your destination's callback URL with a single field: token=<jwt>.

5. Verify the JWT

Verify the token against the JWKS at sso.simplesaml.com/.well-known/jwks.json . The algorithm is RS256, the audience is your destination token, and tokens expire five minutes after issuance. 

import { jwtVerify, createRemoteJWKSet } from "jose";

const jwks = createRemoteJWKSet(new URL(
  "https://sso.simplesaml.com/.well-known/jwks.json",
));

const { payload } = await jwtVerify(token, jwks, {
  issuer: "https://sso.simplesaml.com",
  audience: "<your-destination-token>",
});

The sub claim is the SAML NameID. Use it as your user identifier. Full claim reference and additional language samples are on the JWT verification page.

What's next

The connection you just wired serves one identity provider. To onboard your first client, repeat steps two through five with their IdP's metadata. The same callback handles every client; the JWT's src claim tells you which connection the user came from.

Read Concepts for the full data model.