FOIAXpress Collaboration  SAML SSO Login

  • Updated on Feb 18, 2026
  • Published on Jan 29, 2026
  • 5 minute(s) read
Prev Next

About Collaboration SAML SSO Login Configuration

This manual is designed to assist administrators in configuring SAML SSO login for FOIAXpress Collaboration. It covers the following information:  

  1. Updating the Assertion URL (new for v11.7.0 and up)

  2. FOIAXpress Collaboration SAML SSO Configuration

  3. Retrieving the Service Provider Metadata File

Update Assertion URL

Follow the steps in this section to update Assertion URL. This is required when upgrading to from any version below 11.7.2.

NOTE: If the application is already on 11.7.2 or up, an assertion URL update is not required.

  1. The customer must first obtain and provide their Identity Provider Metadata from their identity provider. This just be provided as either an XML file or URL

  2. Next, we’ll confirm or update the Identity Provider Certificate in SAML Configuration. This must be confirmed otherwise SAML authentication will fail. Open the provided metadata file and locate for the signing cert in x.509 format, as highlighted below:

XML document displaying SAML metadata with highlighted certificate information and key descriptors.

  1. You’ll use this value to create a certificate. Follow these steps:  

System Data Services

  1. Copy the full text following <X509Certificate> (highlighted in yellow below):

Highlighted X.509 certificate data in XML format for secure communications.

  1. Open Notepad, then paste the copied Certificate text into a new Notepad document.

  2. Paste the following at the beginning then hit Enter to add a line break:  

-----BEGIN CERTIFICATE-----

  1. Add another line break at the end, then paste the following on the new line:

-----END CERTIFICATE-----

  1. It should look like the example below. Save the file with a .cer file extension

Certificate text displaying encoded information between BEGIN and END CERTIFICATE markers.

  1. Save the .cer file in a location that is accessible by the FX application

  2. Open the FOIAXpress Database Configuration tool, select the Sign-On Mode tab, then paste the file name (if placed within the application folder) or full path in the Partner Certificate File field:

Configuration screen for SAML SSO with highlighted Partner Certificate File field.

  1. Update the Assertion Service URL. If you are upgrading from version 11.5.4 or under, you need to update the assertion URL after upgrade. See Section 1.2.1 in the v11.7.0 Release Notes for details

  2. You must request that the customer’s SAML ID provider update the assertion URL on their end. The ID provider team can update the assertion URL on their end during or after an upgrade

NOTE: If you see the following error message, it is likely due to an incorrect identity provider’s certificate.

A sleek black interface design with a prominent central button for user interaction.Error message indicating SAML assertion verification failure and unsigned response.

Collaboration SAML SSO Configuration

To complete the FOIAXpress Collaboration configuration for SAML SSO:

  1. Login to the Collaboration application server

  2. Run the Collaboration Database Configuration tool as an Administrator

  3. Configure the database connection. If you have already configured the database connection, then save the existing database setting

  4. Click the Sign-On Mode tab at the top menu bar and select SAML SSO

Dropdown menu displaying the sign-on mode option for SAML SSO authentication.

  1. Enter the Service Provider details for the relying party identifier. These are shown below and described in the following table:

Form fields for Service Provider details including Entity ID and Certificate information.

Field

Description

Entity ID

Enter the Service Provider Entity ID. This can be defined by an FOIAXpress team lead using one of two approaches:

  • We recommend using Collaboration application domain name or domain name. Make sure to avoid certain characters in the entity ID. The URL should not include a port number, query string, fragment identifier, ampersand (&), or URN. The host part of the URL should not contain the substring "www".  

  • Use a unique name. The entity ID should be a globally unique name that identifies the service provider in the SSO process. You can use OrganizationApplicationNameEnvironmentType format. i.e., casepointCollaborationProd, casepointCollaborationTest,

casepointCollaborationProd, casepointCollaborationTest

Assertion Service

URL

Enter the URL below, replacing <<DNS>> with your organization’s Collaboration URL:

https://<<DNS>>/FOIAXpressCollab/AssertionConsumerService.aspx For example, if your Collaboration application URL is:

https://myDns/FOIAXpressCollab

Then the assertion URL value for this field would be:

https://myDns/FOIAXpressCollab/AssertionConsumerService.aspx

Note: The Assertion Service URL was updated for v11.7.0. If you are upgrading from a version below v11.7.0, you must update the value for Service Provider Assertion URL in SAML Configuration through a database configuration tool. You must also inform your Identity

Provider about this change so they can record the updated assertion

URL. See Section 2 for steps to update the URL

Certificate File

Full file path for Service provider certificate (pfx) file

Field

Description

Certificate

Password

Password of the Service provider certificate (if you enter path in the Certificate File field)

Certificate Serial

Number

Serial Number of the service provider

NOTE: You need to provide either certificate file or certificate’s serial number. Make sure the application has permission to read private key from the certificate file.

  1. Enter the Identity Provider values (SAML SSO Identity Provider) in the corresponding fields. These are shown below and described in the following table:

Form fields for configuring an Identity Provider with various service URLs and options.

Field

Description

Partner Identity Provider

Partner Identity Provider’s name/entityId (Required)

Single Sign On Service URL

Single Sign On Service URL (Required)

Single Logout Service URL

This is an optional field. If you configure the URL, the application will redirect to this configured URL once user signs out or user’s session times out.

Partner Certificate File

Full path for Identity Provider provided certificate (Required)

  1. Select the remaining checkboxes as needed depending on your configuration requirements

Configuration options for SAML SSO sign-on mode with various checkbox selections.

  1. Click Save.  

  2. Copy and paste the .CER file into the configured location Follow steps 3-5 in the Update Assertion URL section to configure the a partner certificate file.

Service Provider Metadata File

Generate Service Provider Metadata File

Follow the steps below to generate the Service Provider Metadata file:

  1. First, have the pfx file ready (as used in the previous section)

  2. Get the public key (.cer file) from pfx in base64 format (you can use OpenSSL, or do it from Certificate Management Console using the steps in the next section)

  3. If you are preparing metadata for existing configuration then you will need to collect the following details from your current configuration:

    1. Assertion URL (if you upgrading from v11.5.4 or earlier, then the assertion URL has changed)

    2. Service Provider Name (first text field)

    3. Want Authentication Request Signed (checkbox)

    4. Want Assertion Signed (checkbox)

  4. Go to the SAML Service Provider (SP) Metadata XML Builder and provide your information to generate an XML file

  5. Provide the generated XML file to your Identity Provider

Retrieve .cer via Certificate Management Console

Follow these steps to retrieve a .cer file from pfx through the Certificate Management Console:

Note: This requires that the pfx is installed in the system.  

  1. Go to Certificate Management Console  

  2. Select the cert (pfx) then right click and select All Tasks > Export

  3. Select Public key only (no private key)

  4. Select Base 64 format

Related articles