SAML Registration with Identity Providers

This guide explains the settings you need to use to configure SAML with your Identity Provider. Once configured, obtain an XML metadata file and use it to configure SAML in Formbricks.
Note: Please do not add a trailing slash at the end of the URLs. Create them exactly as shown below.
Assertion consumer service URL / Single Sign-On URL / Destination URL: https://app.formbricks.com/api/auth/saml/callback Entity ID / Identifier / Audience URI / Audience Restriction: https://saml.formbricks.com
Note: https://saml.formbricks.com is hardcoded in Formbricks — do not replace it with your instance URL. It is the fixed SP Entity ID and must match exactly as shown in SAML assertions.
Response: Signed Assertion Signature: Signed Signature Algorithm: RSA-SHA256 Assertion Encryption: Unencrypted NameID Format: EmailAddress Application username: email Mapping Attributes / Attribute Statements:
  • Name claim: If your IdP has a name claim, set the following claims to populate the name field:
    NameName FormatValue
    nameBasicuser.name
    Many IdPs do not have a name claim. If not, you can use different claims to populate the name field. The order of precedence is name -> other options -> email. Other options:
    NameName FormatValue
    firstNameBasicFIRST_NAME_EQUIVALENT
    lastNameBasicLAST_NAME_EQUIVALENT
    Refer to the table below for the different claims you can use for each IdP.
    IdPFIRST_NAME_EQUIVALENTLAST_NAME_EQUIVALENT
    Oktauser.firstNameuser.lastName
    Microsoft Entra ID (Azure AD)user.givenNameuser.surname
    Google Workspaceuser.given_name / user.firstNameuser.family_name / user.lastName
    OneLoginuser.FirstName / user.first_nameuser.LastName / user.last_name
    Auth0user.given_nameuser.family_name
    JumpClouduser.firstnameuser.lastname
    Above provided claims may differ based on your configuration and the IdP you are using. Please refer to the documentation of your IdP for the correct claims.

SAML With Okta

1

Create an application with your SAML provider

For example, in Okta, once you create an account, you can click on Applications on the sidebar menu:
2

Click on Create App Integration

3

Select SAML 2.0 in the modal form, and click Next

4

Fill the general settings as shown and click Next

5

Enter the SAML Integration Settings as shown and click Next

  • Single Sign-On URL: https://<your-formbricks-instance>/api/auth/saml/callback or http://localhost:3000/api/auth/saml/callback (if you are running Formbricks locally)
  • Audience URI (SP Entity ID): https://saml.formbricks.com (hardcoded; do not replace with your instance URL)
6

Fill the fields mapping as shown and click Next

7

Check the internal app checkbox and click Finish

8

Check that the app is created successfully

9

Click on the app and head over to the Assignments tab

10

Click on Assign button and select Assign to People

11

Select the users you want to assign the app to and click Assign

12

Head over to the Sign On tab and click on the 'view SAML setup instructions' button

13

Scroll to the bottom and copy the IDP metadata

14

Copy the IDP metadata and paste it in the `connection.xml` file in the `formbricks/saml-connection` (use `formbricks/apps/web/saml-connection` for development) directory

That’s it. Now when you try to login with SSO, your application on Okta will handle the authentication.