# SAML2.0 Application Setup #

Many applications support the use of SAML2.0 Authentication with an SSO Portal. For these external applications, you can use the SAML2.0
Xiid Application to integrate into any of the [SSO Portals](./configure_ad_agent.md#sso-portal-setup) you have created on your Xiid.IM Agent.
Follow the steps below to integrate any pure SAML2.0 supported applications into your SSO Portals.

## Xiid.IM SAML2.0 Application Configuration ##

Start by signing in to the Xiid Agent Management Portal and navigating to the __Applications__ tab.

On the Applications screen, click the purple __Choose__ button in the __SAML2.0__ card.

On the Applications List for SAML2 screen, click the purple __+ Add Application__ button in the top right.

In the __Portal__ dropdown, select the SSO Portal you would like enable access to this external application.

Provide a __Description__ for the application and then click the purple __Next__ button.

In the Parameters section, provide the __Domain__ associated to the external application. If you do not have a domain associated with the
external application, use the domain name associated with your user login.

For the __Access Point__ field, enter the initial entry point for the *Identity Provider* Initiated SAML request. The Access Point will be defined
by the *Service Provider* and will vary by SPs, however it is often described as the *Service Provider Login URL*.

__Note:__ The Access Point is __not__ the *Assertion Consumer Service* (or ACS). The ACS is used later in the SAML authentication flow and must
be provided in the SAML payloads by the Service Provider.

After reviewing the information, click the purple __Save__ button to finish setting up the SAML2 Application Configurations for the Xiid.IM Agent.

## Service Provider Setup ##

The Service Provider Setup will vary by each SP. In a general sense, you need to enable SSO Authentication from the Administrator portal for your
third-party Application.

After SSO Sign-In has been enabled, you will need to provide the SSO and SLS URLs to the Service Provider so that the
SP knows where to route login requests, handle the sign-in redirects, and handle logout from the application.

To acquire the SSO and SLS URLs, navigate to the __Applications List for SAML2__ screen in the Xiid Agent Management Portal, find your SAML2
Application in the table, and click the purple __Question Mark (?)__ button on the left side of the row. (Shown below in green)

![SAML2 Application Table with question mark highlighted](images/saml2genericquestionmark.png)

After clicking the Question Mark button, you will be taken to the __Help for SAML2 Application__ screen, which will display your SSO and SLS
URLs.

Use the purple __Copy__ buttons to copy the SSO and SLS URLs into their respective fields into your *Service Provider* SSO Configurations.

__Note:__ Each SAML2 Application generates its own SSO, SLS and public certificate. Do not attempt to re-use the same URLs or certificates
across Xiid Applications or they will not work.

After copying the SSO and SLS URLs into the SAML Metadata Configuration for the *Service Provider*, the last step is to copy the public certificate
from the Xiid.IM Agent over to the Service Provider.

Click the purple __Next__ button from the SSO/SLS screen, and then click the purple __Download Certificate__ button.

A .pem file will be downloaded to your machine. Depending on the Service Provider, you will either need to upload the whole PEM file or copy the
contents of the certificate and paste it into the field in your Service Provider's configuration portal.

After the *SAML Trust Relationship* has been established between the Service Provider and the Identity Provider, your SAML Application will be available
in the designated SSO Portal for use.