Live Chat

We'll need to share your messages (and your email address if you're logged in) with our live chat provider, Drift. Here's their privacy policy.

If you don't want to do this, you can email us instead at contact@anvil.works.

Quickstart: SAML Authentication

Authenticate with SAML in your Anvil app

Anvil provides a SAML login function to authenticate users with an existing external account, alongside or instead of other user management options .

This quickstart takes you through an example, showing how to configure an Anvil app to authenticate with identities provided by Auth0.

Create an app

Log in to Anvil and click ‘New Blank App’. Choose the Material Design theme.

Location of the Create App button

Enable SAML Authentication

In the App Browser, click the + next to Services.

App Browser showing the plus next to Services

You’ll see a list of available services and integrations. Click on SAML Authentication to add this service to your app.

Services list with SAML Authentication highlighted

Configure the Users Service to use SAML

Add the Users Service, and then click on the ‘Users’ under the Services section to get to the Users configuration page. Here, you’ll be able to enable SAML login, and, optionally, disable email login.

Users Service configuration with SAML Authentication selected and email deselected

Configure your identity provider to trust your Anvil app

When configuring your identity provider for use with Anvil’s SAML authentication, you’ll need some metadata from your Anvil app. This can be downloaded by clicking the ‘Download Service Provider Metadata’ button in the SAML Authentication service section.

Location of the Download Service Provider Metadata button in the SAML Authentication service

You’ll need to use this metadata to configure your identity provider. Below is an example from Auth0, showing how it uses this metadata from the XML metadata file.

Your chosen identity provider will have their own method of using the metadata provided by the ‘Download Service Provider Metadata’ button. Many will allow direct upload of this XML file.

The following example specifically shows how Auth0 uses this data.

These instructions are specific to Auth0; your IdP will vary. See Auth0’s SAML documentation for more details.

From your Auth0 dashboard, go to Applications, and create an app. Click on that app and go to its ‘Addons’ tab, under which you will be able to toggle the ‘SAML2 Web App’ add-on.

Once toggled to ‘True’, clicking on that ‘Addon’ box will bring up the following page, which is where Auth0 requires the metdata from your Anvil app. Auth0 does not have a feature allowing direct upload of XML metadata.

Configuring Auth0 to trust an Anvil app

In this example, the Application Callback URL is how Auth0 refers to the Location, the audience is the entityID, and the signingCert is the X509Certificate.

Configure your Anvil app to trust your identity provider

Now you need to do the converse of the above; your identity provider will also supply some metadata to allow you to configure your Anvil app. In particular, you need the data to fill in the following fields, found at the top of the SAML Authentication service configuration:

Location of the Identity Provider configuration in the SAML Authentication service

These details should either be provided to you explicitly by your identity provider, or supplied in the form of an XML file.

For more details, see Configuring Options for SAML Authentication.

Call the login function

When users visit your app, we want to display the login box immediately. We can do that by calling anvil.users.login_with_form() in the __init__ method of Form1 as follows:

Click on Form1 in the App Browser.

Form1 in the App Browser

Go to the Code view to see the code for Form1.

Form1 in the App Browser

In the __init__ method, add these lines:

    anvil.users.login_with_form()

    print(f"You are logged in as: {anvil.users.get_user()['email']}")

Run your app and log in

Now click the ‘Run’ button at the top of the screen.

Run app button at the top of the Anvil Editor

Your app will run and display a dialog allowing you to authenticate with SAML. If you have not disabled email login, the email login dialog will also display in this form.

A running app showing a dialog with a link that says 'Login with SAML'.

Click ‘Log In with SAML’ to authenticate. A new window will open, allowing you to log in with your chosen identity provider.

You are now logged into your app. The Output Panel has printed the email address you logged in with:

The Output Panel with a message giving the email address you are logged in with via SAML.

Next Up

Want more depth on this subject?

SAML authentication has more options for configuration; see here for more details.

Want another quickstart?

Every quickstart is on the Quickstarts page.