Configuring your SAML Authentication
Configuring your Anvil app with your identity provider’s details
Under Step 1 in the SAML Authentication service, you’ll be able to configure your app with your identity provider’s details.
These details will be available from your chosen identity provider. A common way for these to be provided is as an XML metadata file, but many identity providers will also supply them individually.
If your identity provider doesn’t supply this explicitly, it can be found within the XML metadata file as the
entityID. It may begin with
urn:, or simply be a URL.
This can be found within the identity provider’s XML metadata as
Location within the
SingleSignOnService tag. If your identity provider gives you the option to choose between a Single-Sign-On URL with an
HTTP-POST binding and one with an
HTTP-Redirect binding, choose the one with the
The X509 signing Certificate supplied by your identity provider. It will be available within the metadata as
Anvil expects your Identity Provider to supply an email address in the returned XML during authentication. The email address will then will automatically be extracted it if it’s shared as one of the standard attributes, but otherwise you can enter the name of the XML attribute containing the email address in this field to ensure that it will be extracted. This field is optional.
Configuring your SAML Authentication within Anvil
Under Step 2, you’ll be able to set some options for how your SAML authentication will function in your Anvil app.
Share SAML Configuration with your other apps
If this is ticked, you will be able to use the SAML configuration of your current Anvil app in your other apps, to allow users to authenticate with those apps using the same SAML identity provider. Crucially, it means that the
entityID of your app is shared among all your apps, and is therefore different than when this box is unticked. See Sharing SAML Credentials across Anvil apps for more detail.
If this is ticked, it will ensure that whenever a user is asked to authenticate, they must log in manually every time, even if (for example) they are already logged in with the identity provider in another tab.
This defaults to
RSA-SHA256. It specifies which encryption algorithm will be used to encrypt the signature of the traffic between your Anvil app and your identity provider, as long as the identity provider also supports the specified algorithm.
Configuring your identity provider with your Anvil app’s details
Under Step 3, you’ll be able to access the details you need in order to configure your identity provider to accept authentication requests from your Anvil app.
The metadata can be downloaded with the
Download Service Provider Metadata button, found within the SAML Authentication service section. Some identity providers will allow you to upload this metadata file directly in order to configure them. If not, your EntityID and signing certificate are also displayed explicitly immediately below the download button.
You will also need the Assertion Consumer Service URL for your app. If your app is running on Anvil’s hosted service, this URL is
Do you still have questions?
Our Community Forum is full of helpful information and Anvil experts.