FOIAXpress PAL SAML Login and Proof of Identity Configuration

Updated
  • Updated on Mar 6, 2026
  • Published on Jan 29, 2026
  • 11 minute(s) read
Prev Next

About SAML Login and Proof of Identity Configuration

The FOIAXpress PAL SAML Login and Proof of Identity Configuration manual was created to assist administrators when configuring the SAML Login and Proof of Identity Verification features. This document provides information on how to complete PAL SAML Configuration, as well as Proof of Identity Configuration, and using the PAL SAML Configuration to create a PFX Certificate.  

The Public Access Link (PAL) works with forms authentication by default, however if an agency needs to enable Security Assertion Markup Language (SAML) Authentication for requester login, the system can be configured with your identity provider details following the directions in this section. PAL can also be configured to provide Proof of Identity verification with identity providers such as Login.gov.  

NOTE: The Assertion Consumer URL for PAL Requester Login and Proof of Identity are different. Consult step 5 in the PAL SAML Configuration Tool section of this document for additional information.  

Ensure you have the Personal Exchange Format (PFX) file and its public key ready as well. You will need to provide the PFX file in PAL SAML Configuration, and the corresponding public key in the IDP app/account. Consult the Create PFX Certificate section for information on how to get the PFX Certificate file and its public key.

Enable PAL Requester Login Using SAML SSO

Follow the steps below to enable PAL requester login using SAML authentication:

NOTE: To configure the SAML SSO from PAL Configuration, the PAL configuration application must have permission to the PAL application folder with full control. If this is not applicable, use the PAL SAML Configuration Tool.

  1. Log in to PAL Configuration, and access Authentication in the left-hand menu

  2. Select the SAML SSO radio button

Authentication configuration settings for SAML SSO with required fields indicated.

  1. First select the Purpose of SAML Configuration (Sign In or Proof of Identity)

  2. Enter the Service Provider details as outlined below

Form fields for service provider details including issuer ID and certificate paths.

Field

Description

Issuer

Enter the Service Provider Entity ID. This is a unique ID/name for an identity provider.

(!!) Note: This is case-sensitive.

Assertion Consumer URL

Replace ā€˜mypalā€™ in the below URLs with your ā€˜hostnameā€™:

For PAL Login, enter

https://mypal/App/AssertionConsumerService.aspx

For Proof of Identity, enter

https://mypal/App/AssertionConsumerServicePoi.aspx

Signature

Certificate/Encryption

Certificate

Use the PFX file that you have ready for SAML use, as mentioned at the beginning of this document.  

(!!) Note: This PFX file should correspond to the public key you uploaded in your Identity Provider account. If you are using a different public key in your Identity Provider account, extract the public key form this PFX file and replace your public key in the Identity Provider account with this public key.

Enter the password for the PFX file in the Signature

Certificate Password/Encryption Certificate Password fields.

Also provide the IDP Entity ID/Issuer URL.

  1. Next, enter the Identity Provider details

Form fields for entering identity provider details including entity ID and URLs.

Field

Description

IDP Entity ID/Issuer URL, SAML SSO URL, SAML SLO URL

To be provided by IDP.

(!!) Notes:  

  • These will be different for test and production. Some IDPs do not support single logout, and it wonā€™t be provided. If SLO is not supported, you should leave the SLO URL and SLO Binding fields blank.

  • For some IDPs, SAML SSO URL and SAML SLO URL must be updated each year, approximately quarterly.

SAML SSO URL Binding Type

To be provided by IDP if required.

Name ID Format

To be provided by IDP if required.

Authentication Context

To be provided by IDP if required.

Authentication Context Comparison

To be provided by IDP if required.

4. Once that is complete, fill in the Certificates field, as shown below and detailed in the following table:

Field

Description

Signature Certificate Text

To be provided by IDP.

Field

Description

Encryption Certificate Text

To be provided by IDP (same as Signature Certificate Text).

(!!) Note: For some IDPs the x509 certificate text has to be updated each year and a reminder that the sandbox and production certificates may not be the same.  

Certificate Path

We recommend using Signature Certificate text and Encryption Certificate Text and skipping this field. For Login.gov the IDP certificate x509 can be found at the following URL:

https://developers.login.gov/saml/

  1. The five checkboxes (Sign Authentication Request, Want SMAL Response Signed, Want Assertion Signed, Want Assertion Encrypted, Encrypt Logout Name ID) should remain unchecked, which is the default setting. If ID Provider provides single logout service, then the Single Logout Request and Single Logout Response checkboxes must be checked.

Options for SAML authentication requests and responses with checkboxes for selection.

  1. When all fields are complete, move on to the SAML Field Mapping section. Here, you can add or delete the fields based on what attributes/return value you have selected for your IDP entity app settings. The First Name, Last Name, Email, and Login fields are mandatory and cannot be removed. All three fields (Provider Field, PAL Field, and Description) are required while adding a new SAML Field in Mappings.

NOTE: The provider fields for both ā€˜Emailā€™ and ā€˜Loginā€™ PAL Fields are the same.  

SAML field mappings table showing Pal and Provider fields with descriptions and actions.

Column

Description

PAL Field

(Proof of

Identity)

The PAL Field column contains labels for corresponding Provider fields that display in the Proof of Identity attachment.

For Proof of Identity, the selected fields are displayed in the verification document provided with the request submission to

FOIAXpress/ATIPXpress. The attachment is automatically added to the Proof of Identity attachment area and available in the Correspondence Log of the request.

Digital proof of identification with personal details and verification information displayed.

Column

Description

PAL Field (Login)

PAL Fields are the labels for corresponding provider fields that are displayed in the SAML Requester Registration page for a new requester (requester whose email doesnā€™t exist in the PAL).

Form fields for user information collection including name, address, and contact details.

Provider Field

Provider Fields are the corresponding IDP attribute names for the requesterā€™s details such as first name, last name, address 1, and country.

Description

Description of mapped field.

NOTE: For Social Security number, the field will be masked only if the PAL Field is named ā€˜SSNā€™, ā€˜Social Securityā€™, or ā€˜Social Security Numberā€™.

  1. Once all the required fields are complete, click Save to save the settings

Enable Proof of Identity Verification in PAL

Review the following identity provider prerequisites if you are enabling PAL to support proof of identity verification.  

  • Configure your IDP entity account(s). You cannot use the same account for PAL login and for Proof of Identity Configuration

  • Set up your sandbox environment (See your providerā€™s instructions; some providers allow you to set up the environment while other providers will perform the setup on your behalf

  • When enabling Proof of Identity Verification in PAL, you can use either level 1 or level 2 for login, however level 2 is required for Proof of Identity Verification. Ensure that the assertion URL in your Identity Provider Entity settings matches with URL provided in step 5 of the

  • PAL SAML Configuration Tool section

Follow the steps below to enable proof of identity verification in PAL:

1. Log in to PAL Configuration and select Request Fields in the left-hand menu

  1. Locate the Proof of Identity Mode request field and select Digital Authentication or Upload Attachment/Digital Authentication from the drop-down list within the Default column

Configuration settings for request fields, highlighting proof of identity documentation requirement.

  1. Scroll down and click Save

PAL SAML Configuration Tool

Follow the steps below to use the PAL SAML Configuration Tool:

  1. Navigate to the PAL Application Server

  2. Search for SAML in the windows search box, then select the tool once located

a. Alternatively, navigate to the PAL Setup folder and locate the PAL.WebApp folder and in the bin folder you will find the application file

ā€˜FOIAXpress.Utilities.SamlConfigā€™

  1. Right click SAML Configuration Tool and select Run as administrator

  2. The SAML Configuration interface appears as shown below. Select either Login or Proof of Identity from the SAML Using For drop-down list

SAML field mappings showing email attributes and actions for user login configuration.

  1. Next, configure the Service Provider information, as shown below and detailed in the following table

SAML configuration settings for service and identity providers with required fields highlighted.

Field

Description

Issuer

Enter the Service Provider Entity ID. This is a unique ID/name for an identity provider.

NOTE: This is case-sensitive.

Assertion Consumer URL

Replace ā€˜mypalā€™ in the below URLs with your ā€˜hostnameā€™:

For PAL Login, enter

https://mypal/App/AssertionConsumerService.aspx

For Proof of Identity, enter

https://mypal/App/AssertionConsumerServicePoi.aspx

Field

Description

Signature

Certificate/Encryption

Certificate

Use the PFX file that you have ready for SAML use, as mentioned at the beginning of this document.  

NOTE: This PFX file should correspond to the public key you uploaded in your Identity Provider account. If you are using a different public key in your Identity Provider account, extract the public key form this PFX file and replace your public key in the Identity Provider account with this public key.

Enter the password for the PFX file in the Signature

Certificate Password/Encryption Certificate Password fields.

Also provide the IDP Entity ID/Issuer URL.

4. Next, complete the required Identity Provider fields, as shown below and described in the following table:

Form fields for configuring identity provider settings in a web application.

Field

Description

IDP Entity ID/Issuer URL, SAML SSO URL, SAML SLO URL

To be provided by IDP.

(!!) Notes:  

  • These will be different for test and production. Some IDPs do not support single logout, and it wonā€™t be provided. If SLO is not supported, you should leave the SLO URL and SLO Binding fields blank.

  • For some IDPs, SAML SSO URL and SAML SLO URL must be updated each year, approximately quarterly.

SAML SSO URL Binding Type

To be provided by IDP if required.

Name ID Format

To be provided by IDP if required.

Authentication Context

To be provided by IDP if required.

Authentication Context Comparison

To be provided by IDP if required.

5. Once that is complete, fill in the Certificates field, as shown below and detailed in the following table:

Certificate fields for signature, encryption, and IDP certificate input options displayed.

Field

Description

Signature Certificate Text

To be provided by IDP.

Encryption Certificate Text

To be provided by IDP (same as Signature Certificate Text).

(!!) Note: For some IDPs the x509 certificate text has to be updated each year and a reminder that the sandbox and production certificates may not be the same.  

Certificate Path

We recommend using Signature Certificate text and Encryption Certificate Text and skipping this field. For Login.gov the IDP certificate x509 can be found at the following URL:

https://developers.login.gov/saml/

  1. The five checkboxes (Sign Authentication Request, Want SMAL Response Signed, Want Assertion Signed, Want Assertion Encrypted, Encrypt Logout Name ID) should remain unchecked, which is the default setting. If ID Provider provides single logout service, then the Single Logout Request and Single Logout Response checkboxes must be checked.  

List of SAML authentication options with checkboxes for user selection.

  1. When all fields are complete, move on to the SAML Field Mapping section. Here, you can add or delete the fields based on what attributes/return value you have selected for your IDP entity app settings. The First Name, Last Name, Email, and Login fields are mandatory and cannot be removed. All three fields (Provider Field, PAL Field, and Description) are required while adding a new SAML Field in Mappings.

NOTE: The provider fields for both ā€˜Emailā€™ and ā€˜Loginā€™ PAL Fields are the same.  

SAML field mappings table showing various fields and actions for user data management.

Column

Description

PAL Field

(Proof of

Identity)

The PAL Field column contains labels for corresponding Provider fields that display in the Proof of Identity attachment.

For Proof of Identity, the selected fields are displayed in the verification document provided with the request submission to

FOIAXpress/ATIPXpress. The attachment is automatically added to the Proof of Identity attachment area and available in the Correspondence Log of the request.

Digital proof of identification with personal details and verification information displayed.

Column

Description

PAL Field (Login)

PAL Fields are the labels for corresponding provider fields that are displayed in the SAML Requester Registration page for a new requester (requester whose email doesnā€™t exist in the PAL).

Table Description automatically generated with medium confidence

Provider Field

Provider Fields are the corresponding IDP attribute names for the requesterā€™s details such as first name, last name, address 1, and country.

Description

Description of mapped field.

NOTE: For Social Security number, the field will be masked only if the PAL Field is named ā€˜SSNā€™, ā€˜Social Securityā€™, or ā€˜Social Security Numberā€™.

  1. Once all the required fields are complete, click Save to save the settings.

NOTE: If using forms authentication, youā€™ll need to provide dummy data for the Proof of Identity settings options, even if these settings are not being used.

For login.gov, please visit https://developers.login.gov/ for all details about identity provider fields.

Create PFX Certificate

For first-time setup, follow the steps below to create a PFX certificate file and extract a public key from the PFX file using OpenSSL.

  1. Open IIS and click Server

  2. In the Security section, double click the Server Certificates

IIS Manager interface highlighting the Server Certificates feature for web server management.

  1. In the top right corner, click Create Self-Signed certificate

List of personal certificates with actions for managing certificate requests and settings.

  1. A pop-up window appears where you can Specify a friendly name for the certificate in the field provided

  2. Next, select Personal from the Select a certificate store dropdown

Input fields for specifying a friendly name and certificate store in a request form.

  1. Now that the certificate is created, and you can export the certificate into the PAL folder. Go to Manage Computer Certificate (located in the Control Panel or by using the Windows search feature)

  2. In the Manage Computer window, click Personal and then click Certificate

  3. From the list of certificates, locate your certificate using the friendly name provided

  4. Right click the Certificate, select All Tasks, and then select Export

  5. In the new pop-up window, click Next to continue

  6. Under Export Private Key, select Yes, export the private key and click Next

  7. Under Export File Format:  

    1. Select Personal Information Exchange (PFX)

    2. Uncheck ā€˜Delete the private key if the export key if successful

    3. Check all other options, then click Next

  8. Under Security, check Password, and type the password for your certificate. (!!) Note: You will need this password in order to use the certificate i.e., in SAML configuration tool and to extract public key

  9. For Encryption, select AES256-SHA256, then click Next

  10. Under File to Export, click Browse and choose your certificate location. We recommend putting the certificate in the PAL folder where your PAL web.config is located

  11. Type in your certificate name and click Next. Once the process is complete, Click Finish

  12. Now you have PFX certificate ready for SAML Service Provider Certificate. Next, we will derive public key from this PFX file. Remember the certificate containing public key, which we upload to login.gov, must be generated from the PFX certificate file that we use in SAML Configuration tool

  13. To create a certificate with public key, install OpenSSL on your computer and then open the command prompt by typing ā€œcmdā€ in Windows search

  14. Go to you PFX file location (type cd full_path_of_pfx), and type the following command:

openssl pkcs12 -in your_file_name.pfx -clcerts -nokeys -out give_name_for_cert_public_key.crt\

  1. When complete, press Enter. The certificate with a public key for login.gov is created

Related articles