Browse Docs

SAML SSO Integraton

Overview

DefensX supports both Service Provider (SP)-initiated and Identity Provider (IdP)-initiated SAML SSO flows, providing the flexibility needed to support a wide range of authentication scenarios.

If your Identity Provider supports modern Federation Metadata URL functionality, you can complete the SAML integration in just two simple steps by exchanging metadata URLs between DefensX and your IdP.

Alternatively, you can perform a manual setup by downloading and uploading the metadata XML files between both systems.

Generic Instructions

Regardless of your Identity Provider, all SAML SSO configurations require a few essential elements. The naming and steps may vary slightly depending on the IdP, but the core components remain the same.

Key Concepts

  • In this configuration, DefensX acts as the Service Provider (SP), and your system (e.g., Okta, Azure AD, ADFS) is the Identity Provider (IdP).

  • You will need to configure the following on your IdP:

    • DefensX Identifier (also known as Entity ID)

    • Assertion Consumer Service (ACS) URL (may also be referred to as the Reply URL)

    • DefensX public signing certificate (optional for some IdPs)

  • On the DefensX side, you’ll need to provide:

    • Your IdP’s Entity ID

    • The IdP’s public certificate

Configuration Methods

Method 1: Federation Metadata URL (Recommended)

If both DefensX and your Identity Provider support Federation Metadata URLs, setup becomes extremely simple. Just exchange the metadata URLs between DefensX and your IdP—no manual data entry required. All necessary fields (Entity ID, ACS URL, certificates) will be auto-populated.

Method 2: Metadata XML Upload

If your Identity Provider supports metadata file uploads but does not accept metadata via URL, you can download the DefensX Metadata XML file and upload it to your IdP. This also automates the setup by importing all necessary values.

Method 3: Manual Configuration

If your Identity Provider does not support metadata URL or file-based configuration, you will need to manually copy and paste the following information into your IdP settings:

  • DefensX Identifier (Entity ID)

  • ACS URL (Reply URL)

  • DefensX Public Certificate

Then, enter your IdP’s Entity ID and Certificate into the corresponding fields in the DefensX admin portal.

Microsoft EntraID Integration

To configure SAML SSO integration with Microsoft Entra ID, follow the steps below:

  • Navigate to the Entra Admin Portal and go to Enterprise Applications

  • Click + New Application.

  • In the pane that appears on the right, click Create your own application.

entra 1

  • Enter a descriptive name in the What’s the name of your app? field (e.g., DefensX SAML SSO).

  • For the prompt What are you looking to do with your application?, select the third option: Integrate any other application you don’t find in the gallery (Non-gallery) and click on the Create button.

Once the application is created:

  • In the application’s Overview page, under the Manage section, click Single sign-on

  • Select SAML as the single sign-on method

  • Now, in a separate tab, open the DefensX Admin Portal, navigate to Settings → SAML SSO Integration, and click Enable SAML Integration.

dx saml 1

  • Because Microsoft Entra only supports uploading metadata XML, click Download Federation Metadata XML in the DefensX portal:

dx saml 2

  • Return to the Microsoft Entra Admin Portal and click Upload metadata file:

entra 2

  • Select the metadata XML file you downloaded from DefensX and click Add.

  • A panel will appear on the right. Wait a few seconds, then click Save to confirm.

  • If a prompt appears asking "Test single sign-on with DefensX?", choose No, I’ll test later since the configuration isn’t complete yet.

entra 3

  • After uploading the metadata, the Identifier (Entity ID) and Reply URL (ACS) fields will be automatically populated.

  • Copy the App Federation Metadata URL from Microsoft Entra and paste it into the IdP Federation Metadata URL field in the DefensX configuration screen.

  • Leave the remaining fields as default and click Update in the DefensX portal to complete the integration.

Optional: Customize and Manage Access

  • You may optionally update the logo for the newly created DefensX application in the Entra portal.

  • Like other enterprise applications, you can control user access, assign groups, and define whether user assignment is required.

Okta Integration

To configure SAML SSO integration with Okta, follow the steps below:

  • Log in to the Okta Admin Console and navigate to Applications → Applications and Click the Create App Integration button.

okta 1

  • On the next screen, choose SAML 2.0 as the Sign-in method, then click Next.

okta 2

  • Enter a descriptive name such as DefensX SAML in the App name field. Optionally, you can upload the DefensX logo.

  • Click Next to proceed.

  • In a new browser tab, open the DefensX Admin Portal and go to Settings → SAML SSO Integration.

  • Click Enable SAML SSO Integration to reveal the required information.

Back in the Okta configuration screen:

okta 3

  • Copy the DefensX ACS URL and paste it into the Single sign-on URL field in Okta.

  • Copy the DefensX Identifier (Entity ID) and paste it into the Audience URI (SP Entity ID) field.

  • Set the Application username field to Email.

  • Scroll down and click Next.

okta 4

  • For the App type, select the This is an internal app thath we have created option and click to the Finish

okta 5

  • On the application’s Sign On tab in Okta, locate the Metadata URL and copy it.

  • Return to the DefensX Admin Portal and paste this URL into the IdP Federation Metadata URL field.

  • Leave the other fields as default and click the Update button to complete the setup on the DefensX side.

  • Assign users or user groups to the newly created DefensX SAML application from the Assignments tab in Okta. You can control which users have access based on your organizational needs.

Duo Integration

To configure SAML SSO between Duo and DefensX, follow the steps below:

  • Add a New Generic SAML Application in Duo

    • Log in to your Duo Admin Console.

    • Navigate to Applications → Application Catalog.

    • In the Search Applications box, type Generic SAML, and click + Add next to Generic SAML Service Provider.

    • Set the Application Name to something descriptive, such as DefensX SAML.

duo applications saml

  • Configure User Access

    • In the User Access section, select Enable for all users to allow all users to authenticate via DefensX.

    • Or choose specific groups if you want to limit access.

  • Retrieve Duo Metadata URL

    • Under the Metadata section, find the Metadata URL.

    • Click Copy to copy the Duo metadata URL to your clipboard.

  • Configure Duo Metadata in DefensX

    • In a new browser tab, open your DefensX Backend Console.

    • Navigate to Settings → SAML SSO Integration.

    • Click Enable SAML Integration.

    • Paste the Duo Metadata URL into the IdP Federation Metadata URL field.

  • Register DefensX Metadata in Duo

    • Back in the Duo Admin Console, scroll to the Service Provider section.

    • Under Metadata Discovery, click the dropdown and select Metadata XML URL.

    • In DefensX Backend, copy the DefensX Metadata URL.

    • Paste this URL into the input box in Duo and click Populate.

  • Finalize Duo Settings

    • Leave all other Duo settings at their default values unless you have specific policy requirements.

    • Click Save in the Duo Admin Console.

  • Finalize DefensX Settings

    • Switch back to the DefensX console.

    • Click Update to save and activate the integration.

Now you can try to login DefensX Backend via Duo SSO. Just select Sign-in with SSO on DefensX login screen and put your email address that is already configured on your DefensX tenant. You will be redirected to Duo for authentication