Configure SAML (Security Assertion Markup Language)

  • Published on May 12, 2026
  • 5 minute(s) read
  • AG
 Prev Next

Prerequisites

Before configuring SAML, ensure you have:

  • Organisation Administrator access to Discngine Admin Center
  • Administrator access to your Identity Provider (Azure AD, Okta, Ping, ADFS, etc.)
  • Permissions to create a SAML application in your Identity Provider

Overview

SAML 2.0 (Security Assertion Markup Language) allows your corporate Identity Provider to authenticate users into Discngine applications. This guide walks you through all the steps to configure a SAML Identity Provider in the Discngine Admin Center.

SAML setup is a two-step process:

  1. Create the provider in Admin Center with the IdP Endpoint, then save to generate the SP metadata values.
  2. Register the Admin Center as a Service Provider (SP) in your IdP using the generated Identifier (Entity ID) and Reply URL, then upload the IdP signing certificate.

⚠️ Note: The certificate can be uploaded in a second edit of the provider after the initial save.

Step 1 — Create the SAML Provider in Admin Center

Navigate to Identity Providers

  1. Log in to Discngine Admin Center as an Organisation Administrator.
  2. Navigate to Identity Providers in the left sidebar or via the home page card.
  3. Click New Provider +.

Fill in the Provider Form

Field Description Required
Provider Type Select Security Assertion Markup Language (SAML) Yes
Provider Name A display name for this provider (e.g. Azure AD SAML, Okta SAML) Yes
Enabled Toggle to enable/disable the provider Yes
Image URL URL to an icon image displayed on the login button No
Button Text Text shown on the SSO login button (e.g. Login with Okta) Yes
IdP Endpoint The SAML Single Sign-On URL provided by your IdP (e.g. https://login.microsoftonline.com/{tenantId}/saml2) Yes
Email Claim The SAML attribute name that contains the user's email. If not set, the standard NameID value is used. For Azure AD the value is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress No
Login Hint Set to Yes to forward the user's email address to the IdP as a login hint when using HTTP redirect bindings No
Managed Domain One or more email domains managed by this provider. When set, the login page collects the email first and silently redirects matching users to the IdP — no login button is shown for these domains No

Click Save to create the provider. The following read-only values are then generated:

Field Description
Provider UUID The unique internal identifier for this provider
Identifier (Entity ID) The SP Entity ID to register in your IdP: https://account-dac.discngine.cloud/samlv2/sp/{uuid}
Reply URL (ACS URL) The Assertion Consumer Service URL to register in your IdP: https://account-dac.discngine.cloud/samlv2/acs

Step 2 — Register the SP in Your Identity Provider

Take the Identifier (Entity ID) and Reply URL values from the Admin Center provider form and register them in your Identity Provider.

Azure Active Directory / Microsoft Entra ID

  1. In the Azure Portal, navigate to Azure Active DirectoryEnterprise applicationsNew applicationCreate your own application.
  2. Choose Integrate any other application you don't find in the gallery (Non-gallery) and give it a name.
  3. Navigate to Single sign-on → Select SAML.
  4. Edit Basic SAML Configuration:
    • Identifier (Entity ID): paste the value from Admin Center
    • Reply URL (ACS URL): paste the value from Admin Center
  5. Save the SAML configuration.
  6. Download the Certificate (Base64) from the SAML Signing Certificate section.

Okta

  1. In the Okta Admin Console, navigate to ApplicationsCreate App IntegrationSAML 2.0.
  2. In the SAML Settings:
    • Single sign-on URL: paste the Reply URL from Admin Center
    • Audience URI (SP Entity ID): paste the Identifier (Entity ID) from Admin Center
  3. Complete the wizard and download the Signing Certificate (.pem format) from the Sign On tab.

Other Providers

Consult your IdP documentation for the exact procedure. The information you need is:

  • ACS URL / Reply URL / Callback URL → paste the Reply URL from Admin Center
  • Entity ID / Audience / SP Entity ID → paste the Identifier (Entity ID) from Admin Center

Step 3 — Upload the Signing Certificate

  1. In Admin Center, navigate back to the SAML provider and click Edit.
  2. In the Certificate field, click Manage Files and upload the .pem, .cer, or .crt certificate downloaded from your IdP.
  3. Click Save.

⚠️ Warning: Uploading a new certificate file replaces the existing one. This will immediately affect active SSO sessions.

Step 4 — Enable for Applications

By default, the new provider is not linked to any application.

  1. On the Identity Providers list page, click Enable/Disable next to your SAML provider.
  2. Toggle the applications that should use this provider.
  3. Click Save.

Testing the Configuration

  1. Open https://admin-<organisation-name>.discngine.cloud/.
  2. Enter your email address.
  3. If the domain matches a Managed Domain you configured, you will be automatically redirected to the IdP.
  4. Otherwise, click the SSO button (e.g. Login with Okta) to be redirected.
  5. Authenticate with your IdP credentials.
  6. After successful authentication, you will be redirected back to Discngine Admin Center.

You can also use the Test button inside the provider form to test the integration before enabling it for users.

Disabling a SAML Identity Provider

⚠️ Warning

Don't lock yourself out! Make sure you have enabled local login for your user before disabling your Identity Providers! To do so: navigate to Users → Edit your user and enable Local Authentication.

You can temporarily disable your SAML provider by either:

  • Clicking the Enable/Disable button in the Identity Providers page for the relevant applications
  • Opening the provider configuration page and toggling the Enabled switch

After disabling, users who previously authenticated via this provider can only log in if they have a local password set.

Troubleshooting

Login button doesn't appear

  • Verify the provider Enabled toggle is on.
  • Verify the provider has been enabled for the relevant application via the Enable/Disable button.

"User not found" or authentication fails

  • Ensure the email claim configured in Admin Center matches the attribute sent by your IdP.
  • For Azure AD, the email claim should be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
  • Verify the user exists in Admin Center with the same email address as in your IdP.

Certificate error / signature validation fails

  • Check that the uploaded certificate matches the one currently active in your IdP.
  • Some IdPs rotate signing certificates — after rotation you need to upload the new certificate.

Redirect URI / ACS URL mismatch

  • Confirm the Reply URL registered in your IdP exactly matches: https://account-dac.discngine.cloud/samlv2/acs

Managed Domain redirect not working

  • Verify the email domain entered in Managed Domain matches the domain of users' email addresses exactly (e.g. yourdomain.com, not @yourdomain.com).

Next Steps

Enhancing Life Science Research
Products
Company
Sales and Support
Connect With Us
Copyright© Discngine S.A.S All Rights Reserved