Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SAML SSO System Requirements

System requirements for using SAML single sign‑on and single logout with Foundry

Overview

This article outlines the system requirements for using Foundry Single Sign‑On (SSO) and, optionally, Single Logout (SLO) with your organization.

In this configuration:

  • Your organization acts as the SAML Identity Provider (IdP)
  • Foundry acts as the SAML Service Provider (SP)

The requirements below apply to standard SAML integrations used with ComplyEQ courses delivered through Foundry.

Definitions

Identity and Access Management (IAM) Solution
The system your organization uses to manage users and control access to third‑party applications.

Identity Provider (IdP)
A system that authenticates users and manages identity information. The IdP provides authentication services to applications such as Foundry.

Service Provider (SP)
An application, such as Foundry, that relies on the IdP to authenticate users.

SAML 2.0
Security Assertion Markup Language, a protocol that allows a service provider to authenticate users through an identity provider.

SAML 2.0 Protocol Requirement

Your IAM system must support the SAML 2.0 protocol.

Single Sign‑On Requirements

Your IAM system must be able to act as an identity provider that supports one or both of the following SSO methods:

  • SP‑initiated SSO
    Accepts a SAML AuthnRequest from Foundry and returns a SAML Response

  • IdP‑initiated SSO
    Sends a SAML Response directly to Foundry

Important:
Foundry supports only one signing certificate from your IdP. If your IdP rotates certificates (for example, using both old and new certificates during a transition), you must update the certificate in both Foundry and your IdP at the same time to avoid SSO interruptions.

Service Provider AuthnRequest Requirements

To support SP‑initiated SSO, your IdP must meet the following requirements:

  • Provide an SSO URL that accepts HTTP GET requests
  • Accept a SAML AuthnRequest passed as an encoded query string parameter
  • Support long query strings, since signed requests can be lengthy

Foundry does not support sending AuthnRequest messages using HTTP POST.

Foundry signs AuthnRequest messages using:

  • SHA‑256 (preferred), or
  • SHA‑1

If your IdP verifies signatures, it must support one of these algorithms.

Identity Provider SAML Response Requirements

Your IdP’s SAML Response sent to Foundry must meet the following criteria:

  • The Response must be digitally signed using your IdP’s certificate
  • The Assertion within the Response must also be signed using the same certificate
  • The Assertion must include a Subject with a NameID
    • The NameID format is not enforced, except that transient is not supported
    • The NameID value is used to match the user’s Foundry SSO ID and is case sensitive

Encryption of the Assertion is optional. If you choose to encrypt it, use Foundry’s X.509 certificate.

Attributes and Just‑In‑Time Provisioning

Attributes are optional unless you want to enable just‑in‑time (JIT) user creation during SSO.

For JIT provisioning, include attributes for:

  • First name
  • Last name
  • Email

Optional attributes include:

  • Location
  • User type
  • Role (for example, supervisor or non‑supervisor)

Time Conditions and Clock Synchronization

The SAML Assertion may include NotBefore and/or NotOnOrAfter conditions.

  • Foundry enforces these conditions
  • A 2‑second grace period is applied to account for clock drift
  • Foundry’s system clock is synchronized using Network Time Protocol (NTP)