SAML federation setup
Stand up SAML 2.0 federation between VEREID Auth and your enterprise IdP (Okta, Azure AD, Google Workspace, Ping) in under thirty minutes.
Last updated 2026-05-20
VEREID Auth is both an OpenID Connect provider and a SAML 2.0 Identity Provider. For enterprise customers federating into VEREID — i.e. "let our Okta-managed employees sign in to this VEREID-authenticated B2B app" — VEREID acts as a SAML Service Provider against the customer's IdP. That is the flow this guide covers.
Before you start
You will need:
- An Enterprise plan (SAML is gated on Enterprise).
- Admin access to your IdP (Okta, Azure AD, Google Workspace, Ping, or any SAML 2.0-compliant IdP).
- The VEREID tenant ID you are federating to (
developer.vereid.com → Tenant → ID).
Step 1 — Generate the SP metadata
In developer.vereid.com → Auth Apps → New SAML SP:
- Name — your IdP name, e.g.
Okta — Acme. - EntityID — defaults to
https://auth.vereid.com/v1/saml/sp/<tenant_id>. - ACS URL — defaults to
https://auth.vereid.com/v1/saml/acs/<tenant_id>. - NameID format —
email(recommended) orpersistent. - Signature algorithm —
RSA-SHA256(default),RSA-SHA512allowed.
Click Download SP metadata → vereid-sp.xml. This is the file you upload to your IdP.
Step 2 — Configure the IdP
Okta
- Applications → Create App Integration → SAML 2.0.
- Name:
VEREID Auth. Logo: download fromhttps://vereid.com/brand/icon.png. - Single Sign-On URL: the
AssertionConsumerService Locationfromvereid-sp.xml. - Audience URI (SP Entity ID): the
entityIDfromvereid-sp.xml. - Name ID format:
EmailAddress. - Attribute Statements (add):
email—user.emailfirstName—user.firstNamelastName—user.lastName
- Save, copy the Identity Provider metadata URL.
Azure AD (Entra)
- Enterprise applications → New application → Non-gallery.
- Single sign-on → SAML.
- Upload
vereid-sp.xmlvia Upload metadata file. - Edit User Attributes & Claims: ensure
name,email,givenname,surnameare present. - Download Federation Metadata XML.
Google Workspace
- Apps → Web and mobile apps → Add custom SAML app.
- Download IdP metadata immediately.
- ACS URL + Entity ID from
vereid-sp.xml. - NameID:
Basic Information > Primary email. - Attribute mapping:
email,first_name,last_name.
Ping Identity
- Applications → Add → SAML.
- Upload
vereid-sp.xml. - Attribute Contract: add
email,firstName,lastName. - Download IdP metadata.
Step 3 — Upload IdP metadata to VEREID
Back in developer.vereid.com → Auth Apps → <your SAML SP> → Upload IdP metadata, paste the XML or the metadata URL. VEREID extracts the signing certificate and the SSO URL automatically.
Step 4 — Test
curl -sS "https://auth.vereid.com/v1/saml/login/$TENANT_ID?return_url=https://yourapp.com/"This issues a SAML AuthnRequest, redirects to your IdP, and (on successful login) lands on the ACS URL. VEREID exchanges the assertion for a session and redirects the user to return_url.
For automated regression, use SAMLTrace (browser extension) or vereid saml debug --tenant=$TENANT_ID from the CLI.
Step 5 — Map IdP groups to VEREID roles
If your IdP sends a groups (Okta), memberOf (Azure), or custom group attribute, configure mapping in developer.vereid.com → SSO → Group Mapping:
| IdP group | VEREID role |
|---|---|
acme-engineering | developer |
acme-finance | billing |
acme-admin | admin |
Mapping runs on every login; group memberships are not cached.
Step 6 — Single Logout (SLO)
Optional but recommended. In developer.vereid.com → SSO → SLO, enable SLO. VEREID will send a LogoutRequest to the IdP on every VEREID logout, and accept LogoutRequest from the IdP to terminate VEREID sessions. SLO is gated on Enterprise.
Step 7 — The verification claim in SAML
Even over SAML, the vereid_verification claim is available — see OIDC claims. It is exposed as a single XML attribute named urn:vereid:verification containing the base64-encoded JSON document. Your IdP-side processing should decode the attribute and parse it as JSON.
import base64, json
raw = assertion.attributes["urn:vereid:verification"]
claim = json.loads(base64.b64decode(raw))
print(claim["tier"], claim["badges"])Common issues
InvalidNameIDPolicy— the IdP is configured to sendpersistentbut the SP expectsemail. Recreate the SP withNameID format = persistent(in step 1).InvalidSignature— the IdP rotated its signing cert and metadata is stale. Re-upload IdP metadata.AudienceRestrictionmismatch — the IdP-sideAudiencedoes not match the SPentityID. Copy fromvereid-sp.xmlexactly.- Group mapping not applied — the IdP did not send the groups attribute. Verify with SAMLTrace before debugging on our side.
Going further
- OIDC claims — the wire format for
vereid_verification. - Auth product overview — for the non-SAML, OIDC-only path.
- Contact
enterprise@vereid.comif you need SCIM provisioning, JIT user creation, or per-IdP custom domains.