{"type":"doc","content":[{"type":"paragraph","content":[{"text":"This page provides documentation on integrating an Identity Provider (IdP) with Unique's authentication system, enabling a seamless and secure SSO experience for the users. Unique uses ","type":"text"},{"text":"Zitadel","type":"text","marks":[{"type":"link","attrs":{"href":"https://zitadel.com/"}}]},{"text":" as its Identity and Access Management (IAM) solution and various IdPs can be connected to it for allowing users to login via Single Sign-On.","type":"text"}]},{"type":"rule"},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"1"},"maxLevel":{"value":"6"},"outline":{"value":"false"},"style":{"value":"none"},"type":{"value":"list"},"printable":{"value":"true"}},"macroMetadata":{"macroId":{"value":"b543d5d0-0a9a-42fe-abd9-862a48cbd884"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"fce98089-0933-487b-9607-0dd7e73a8b42"}},{"type":"rule"},{"type":"heading","attrs":{"level":1},"content":[{"text":"Supported Identity Providers","type":"text"}]},{"type":"paragraph","content":[{"text":"Unique supports all the IDPs that Zitadel supports in the version that is deployed on the environment where SSO will be setup. The list of supported identity providers can be found in Zitadel’s documentation in the ","type":"text"},{"text":"“Configuring IdP Providers” section","type":"text","marks":[{"type":"link","attrs":{"href":"https://zitadel.com/docs/guides/integrate/identity-providers/introduction#configuring-idp-providers"}}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"This documentation includes a guide for setting up SSO with Microsoft Entra ID, Generic OIDC and SAML, and will be expanded in the future with guides for other providers as needed.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Microsoft Entra ID (OIDC)","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"In case ","type":"text"},{"text":"SCIM","type":"text","marks":[{"type":"strong"}]},{"text":" will be used for ","type":"text"},{"text":"user provisioning","type":"text","marks":[{"type":"strong"}]},{"text":" - visit ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://unique-ch.atlassian.net/wiki/x/S4B4Ow"}},{"text":" and setup the enterprise application for SCIM first following the documentation.","type":"text"}]},{"type":"paragraph","content":[{"text":"After setting up the enterprise application for SCIM you will already have a linked app registration created by Entra ID. Proceed with the step ","type":"text"},{"text":"“Configure app registration after SCIM setup” ","type":"text","marks":[{"type":"em"}]},{"text":"on this page (skipping the “Create an app registration” step).","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Create an app registration","type":"text"}]},{"type":"paragraph","content":[{"text":"An App Registration needs to be created in Microsoft Azure. This can be done in Azure under ","type":"text"},{"text":"App registrations > New registrations","type":"text","marks":[{"type":"link","attrs":{"href":"https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false"}}]},{"text":".","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":904,"alt":"c23f3ac4-5541-4783-86fe-2cd4abfab18f.png","id":"40248baa-da10-4e55-988f-ba6a2dab74ee","collection":"contentId-551616521","type":"file","height":802}},{"type":"caption","content":[{"text":"Registering an app registration in Azure","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Configure the following:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Choose a name (e.g.: “Unique AI”)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select who should have access to this application","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Redirect URL → select “Web” and enter the callback URL for the environment you’re running on","type":"text"}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Redirect URL is environment specific","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Multitenant (Europe)","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://id.unique.app/ui/login/login/externalidp/callback","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Multitenant (US)","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://id.us.unique.app/ui/login/login/externalidp/callback","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Single tenant","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://id..unique.app/ui/login/login/externalidp/callback","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Customer managed tenant","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https:///ui/login/login/externalidp/callback","type":"text","marks":[{"type":"code"}]}]}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configure app registration after SCIM setup","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Skip this section in case you did not setup SCIM with an enterprise app and proceed with the ","type":"text"},{"text":"“Authentication” ","type":"text","marks":[{"type":"em"}]},{"text":"step.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"After setting up the enterprise application for the user provisioning via SCIM, Entra ID will automatically create a corresponding app registration. This app registration must be configured to use “Web” as a platform and the redirect URL must be added to enable users to login via SSO to Unique.","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":1506,"alt":"Screenshot 2025-02-25 at 20.57.54-20250225-195937.png","id":"e5264fec-fdd3-4a17-8d8c-3d7d9f2ecc42","collection":"contentId-551616521","type":"file","height":820}},{"type":"caption","content":[{"text":"Add “Web” as the platform in the authentication section of the app registration.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"You will be prompted to enter the redirect URL for the application.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Redirect URL is environment specific","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Multitenant (Europe)","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://id.unique.app/ui/login/login/externalidp/callback","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Multitenant (US)","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://id.us.unique.app/ui/login/login/externalidp/callback","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Single tenant","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://id..unique.app/ui/login/login/externalidp/callback","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Customer managed tenant","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https:///ui/login/login/externalidp/callback","type":"text","marks":[{"type":"code"}]}]}]}]}]}]}]},{"type":"paragraph","content":[{"text":"Proceed now with the next section (“Authentication”) to finish the authentication setup for the app registration.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Authentication","type":"text"}]},{"type":"paragraph","content":[{"text":"After the app registration has been created, navigate to the “Authentication” section and make sure the “Access tokens” and “ID tokens” settings are selected. This is to ensure that the Access token and ID token are issued and sent along when a user uses SSO to login to Unique.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"ID token → contains information about the user (name, email, group IDs)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Access token → used for making an additional Microsoft GraphAPI request to get the group names","type":"text"}]}]}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":2526,"alt":"Screenshot 2024-06-14 at 09.22.52-20240614-072313.png","id":"69922863-3921-4958-90da-6433262b4c53","collection":"contentId-551616521","type":"file","height":1506}},{"type":"caption","content":[{"text":"Configure Access tokens and ID tokens to be included with SSO","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Token configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"Next navigate to the “Token configuration” section and add necessary claims to the token. This is to ensure that the needed claims are sent on the ID token.","type":"text"}]},{"type":"paragraph","content":[{"text":"If you want to be able to sync your user groups from Azure to Unique, make sure to also add the groups claim as shown in the second screenshot below. What kind of groups you want to include on the groups claim is ultimately up to you. Unique recommends to include only the groups assigned to the application in order to have more control over what groups are synced and avoid exceeding the limit on the number of groups that can be included on the ID token.","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":2516,"alt":"Screenshot 2024-05-29 at 11.13.01-20240529-091403.png","id":"a7a3a3b8-9104-45e9-a983-51325e5972aa","collection":"contentId-551616521","type":"file","height":1492}},{"type":"caption","content":[{"text":"Token configuration - add necessary claims","type":"text"}]}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":2516,"alt":"Screenshot 2024-05-29 at 13.28.00-20240529-112901.png","id":"1a1b88a9-4019-4f3e-b48d-7e4d5c4106ef","collection":"contentId-551616521","type":"file","height":1492}},{"type":"caption","content":[{"text":"Token configuration - add groups claim","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"API permissions","type":"text"}]},{"type":"paragraph","content":[{"text":"Under the “API permissions” navigation entry you need to configure the correct permissions for the Microsoft Graph API. The permissions should include:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"email","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"openid","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"profile","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"User.Read","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"GroupMember.Read.All ","type":"text"},{"text":"(only when not using SCIM for provisioning)","type":"text","marks":[{"type":"em"}]}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"GroupMember.Read.All","type":"text","marks":[{"type":"code"}]},{"text":" permission (","type":"text"},{"type":"inlineCard","attrs":{"url":"https://learn.microsoft.com/en-us/graph/permissions-reference#groupmemberreadall"}},{"text":" ) is only required in cases where SCIM is not used to provision users and groups. If you setup SCIM - skip adding this API permission.","type":"text"}]},{"type":"paragraph","content":[{"text":"GroupMember.Read.All","type":"text","marks":[{"type":"code"}]},{"text":" requires admin consent to be enabled. This permission is needed to query the group names via the Microsoft Graph API on behalf of the user. The ID token groups claim includes only the groups' IDs and to be able to sync the user’s Entra ID groups to Unique we require an ID and a name.","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"},{"text":"For more information on the syncing of user groups, refer to this page: ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/519962625"}},{"text":" ","type":"text"}]}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":2630,"alt":"Screenshot 2024-06-18 at 12.13.43-20240618-101404.png","id":"19db2f10-f3c0-4822-9104-bf06e75fb5c3","collection":"contentId-551616521","type":"file","height":1512}},{"type":"caption","content":[{"text":"Ensure the correct API permissions are set","type":"text"}]}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"GroupMember.Read.All","type":"text","marks":[{"type":"code"}]},{"text":" permission needs to be manually added. This can be done by clicking on t","type":"text"},{"text":"he “+ Add a permission”","type":"text","marks":[{"type":"em"}]},{"text":" button on the top of the list. Select the “Microsoft Graph” API and choose the “Delegated permissions” tab on top. This allows the Unique solution to query the group names for the group IDs received in the groups claim on the ID token.","type":"text"}]},{"type":"paragraph","content":[{"text":"Make sure that the status column indicates “Granted for …” for all the added API permissions. The ","type":"text"},{"text":"GroupMember.Read.All","type":"text","marks":[{"type":"code"}]},{"text":" permissions requires explicitly granting admin consent by using the “Grant admin consent for …” button above the permission list.","type":"text"}]},{"type":"paragraph"},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":2868,"alt":"Screenshot 2024-06-18 at 12.15.55-20240618-101622.png","id":"701e2217-441e-4bcf-90bf-28ce2e9ff10f","collection":"contentId-551616521","type":"file","height":1512}},{"type":"caption","content":[{"text":"Adding the ","type":"text"},{"text":"GroupMember.Read.All","type":"text","marks":[{"type":"code"}]},{"text":" API permission for the Microsoft Graph API","type":"text"}]}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":2868,"alt":"Screenshot 2024-06-18 at 12.17.40-20240618-101805.png","id":"2fe8f359-207e-4b95-a540-4545ac693cb8","collection":"contentId-551616521","type":"file","height":1512}},{"type":"caption","content":[{"text":"Granting admin consent for the permissions.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Certificates & secrets","type":"text"}]},{"type":"paragraph","content":[{"text":"After the application has been registered and configured, create a Client Secret by navigating to “Certificates & secrets” and copy the value of the secret. The secret is only visible once and is needed in order to setup SSO with Unique.","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":984,"alt":"app-registration-client-secret.png","id":"f7c7bf17-e874-49df-8c0e-eefffd26f2ba","collection":"contentId-551616521","type":"file","height":780}},{"type":"caption","content":[{"text":"Creating a client secret for the App registration in Azure","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Required information for setting up SSO","type":"text"}]},{"type":"paragraph","content":[{"text":"Now all the information required to setup SSO for the Unique solution using Microsoft Entra ID (OIDC) is available.","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":1227,"alt":"rd.png","id":"7ffacaca-d4ce-449e-ad6f-579ae19248fa","collection":"contentId-551616521","type":"file","height":784}},{"type":"caption","content":[{"text":"Client ID and Tenant ID visible in App registration detail view in Azure","type":"text"}]}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"These are the ","type":"text"},{"text":"required values","type":"text","marks":[{"type":"strong"}]},{"text":" that are needed to setup SSO.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Client ID","type":"text","marks":[{"type":"strong"}]},{"text":" - ","type":"text"},{"text":"(found under “Application (client) ID”)","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Client Secret","type":"text","marks":[{"type":"strong"}]},{"text":" - ","type":"text"},{"text":"(copied after creation)","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Tenant ID","type":"text","marks":[{"type":"strong"}]},{"text":" - ","type":"text"},{"text":"(found under “Directory (tenant) ID”)","type":"text","marks":[{"type":"em"}]}]}]}]},{"type":"paragraph","content":[{"text":"If you are running on a Unique managed environment (Multi- or Single-tenant), then this is all you need. Provide these values to Unique in a ","type":"text"},{"text":"secure way","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff5630"}},{"type":"strong"}]},{"text":" (sensitive client credentials) and Unique will take care of enabling SSO for your organization.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"SAML","type":"text"}]},{"type":"paragraph","content":[{"text":"Zitadel is able to connect to any identity provider that supports SAML. SAML can even be used in a closed network not available from the internet.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"paragraph","content":[{"text":"You need to register a new client with your SAML provider and provide us with either the ","type":"text"},{"text":"Metadata URL","type":"text","marks":[{"type":"em"}]},{"text":" or the ","type":"text"},{"text":"Metadata XML","type":"text","marks":[{"type":"em"}]},{"text":". In case of an internal network not reachable from the internet only the ","type":"text"},{"text":"Metadata XML ","type":"text","marks":[{"type":"em"}]},{"text":"is possible.","type":"text"}]},{"type":"paragraph","content":[{"text":"How to setup Okta SAML as an example you can check here: ","type":"text"}]},{"type":"blockCard","attrs":{"url":"https://zitadel.com/docs/guides/integrate/identity-providers/okta-saml#okta-configuration"}},{"type":"paragraph","content":[{"text":"On the multitenant system we additionally need the ","type":"text"},{"text":"E-Mail domain","type":"text","marks":[{"type":"em"}]},{"text":" that the users will be using to login.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configuring Zitadel","type":"text"}]},{"type":"paragraph","content":[{"text":"On the ","type":"text"},{"text":"settings","type":"text","marks":[{"type":"em"}]},{"text":" tab you need to ","type":"text"},{"type":"emoji","attrs":{"id":"2705","text":"✅","shortName":":white_check_mark:"}},{"text":" ","type":"text"},{"text":"Allow External Login ","type":"text","marks":[{"type":"strong"}]},{"text":"and you need to remove all 2FA methods and ","type":"text"},{"type":"emoji","attrs":{"id":"atlassian-cross_mark","text":":cross_mark:","shortName":":cross_mark:"}},{"text":" ","type":"text"},{"text":"Disable Username and password","type":"text","marks":[{"type":"strong"}]},{"text":". The only ","type":"text"},{"type":"emoji","attrs":{"id":"2705","text":"✅","shortName":":white_check_mark:"}},{"text":" that should be checked is for external login!","type":"text"}]},{"type":"paragraph","content":[{"text":"Then create a SAML SP ","type":"text"},{"text":"Identity Provider","type":"text","marks":[{"type":"em"}]},{"text":". Give it a name and either paste the ","type":"text"},{"text":"Metadata XML","type":"text","marks":[{"type":"em"}]},{"text":" in ","type":"text"},{"text":"base64 encoded form","type":"text","marks":[{"type":"strong"}]},{"text":" into the ","type":"text"},{"text":"Metadata XML","type":"text","marks":[{"type":"em"}]},{"text":" field, or give the Metadata URL in the respective field.","type":"text"}]},{"type":"paragraph","content":[{"text":"Choose SAML_BINDING_POST and activate:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"emoji","attrs":{"id":"2705","text":"✅","shortName":":white_check_mark:"}},{"text":" Signed Request","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"emoji","attrs":{"id":"2705","text":"✅","shortName":":white_check_mark:"}},{"text":" Automatic Creation","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"emoji","attrs":{"id":"2705","text":"✅","shortName":":white_check_mark:"}},{"text":" Automatic Update","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"emoji","attrs":{"id":"2705","text":"✅","shortName":":white_check_mark:"}},{"text":" Account creation allowed","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Do not forget to ","type":"text"},{"text":"activate","type":"text","marks":[{"type":"strong"}]},{"text":" the new Identity Provider with the ","type":"text"},{"type":"emoji","attrs":{"id":"2705","text":"✅","shortName":":white_check_mark:"}},{"text":" icon. ","type":"text"},{"text":"Account linking","type":"text","marks":[{"type":"em"}]},{"text":" should never be activated for security reasons.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configuring SAML provider with Zitadel metadata","type":"text"}]},{"type":"paragraph","content":[{"text":"After configuring the SAML SP Identity Provider click on it again and check the URL. It will end with a sequence of numbers ","type":"text"},{"text":"ui/console/org/provider/saml/","type":"text","marks":[{"type":"code"}]},{"text":". Copy the ","type":"text"},{"text":"SAML-PROVIDER-ID","type":"text","marks":[{"type":"code"}]},{"text":" for the next step (the numbers). ","type":"text"}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"Zitadel documentation claims that you see the metadata URLs after creating the provider, but we never saw this screen, so the only reliable way is to copy the provider ID from the URL.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"If Zitadel is reachable from your SAML instance you can configure the following URL as ","type":"text"},{"text":"Metadata URL","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Multitenant (Europe)","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://id.unique.app/idps//saml/metadata","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Multitenant (US)","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://id.us.unique.app/idps//saml/metadata","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Single tenant","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://id..unique.app/idps//saml/metadata","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Customer managed tenant","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https:///idps//saml/metadata","type":"text","marks":[{"type":"code"}]}]}]}]}]}]},{"type":"paragraph","content":[{"text":"If it is not reachable you either get the ","type":"text"},{"text":"Metadata XML","type":"text","marks":[{"type":"em"}]},{"text":" from us or you can download it from the respective URL above and configure it in your SAML IDP.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Zitadel is using signing and encryption for the SAML communication, and we configured Zitadel to only accept signed requests. There might be additional steps necessary in your SAML provider to work correctly with signing and encryption. ","type":"text"}]}]},{"type":"rule"},{"type":"table","attrs":{"layout":"default","width":507.0,"localId":"d6a15ea7-1fdd-4d98-abf3-02c978f1d5ba"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[111.0]},"content":[{"type":"paragraph","content":[{"text":"Author","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"#ffffff","rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"type":"mention","attrs":{"id":"63eb588daf665dfde8905c67","text":"@Sandro Camastral"}},{"text":" ","type":"text"}]}]}]}]},{"type":"paragraph"}],"version":1}

Browser not supported