FOIAXpress SAML SSO Login

Updated
  • Updated on Feb 18, 2026
  • Published on Jan 29, 2026
  • 4 minute(s) read
Prev Next

1 About SAML Login and Proof of Identity Configuration

The FOIAXpress SAML Login Configuration manual was created to assist administrators when configuring the SAML SSO Login. It covers the following information:

  1. Updating the Assertion URL (new for v11.7.0 and up)

  2. FOIAXpress Configuration for SAML SSO.

  3. Retrieving the Service Provider Metadata File

2 Update Assertion URL

Follow the steps in this section to update Assertion URL in FX. This is required when upgrading to from any version below 11.7.2.

NOTE: If the application is already on 11.7.2 or up, an assertion URL update is not required

  1. The customer must first obtain and provide their Identity Provider Metadata from their identity provider. This just be provided as either an XML file or URL.

  2. Next, weā€™ll confirm or update the Identity Provider Certificate in SAML Configuration. This must be confirmed otherwise SAML authentication will fail. Open the provided metadata file and locate for the signing cert in x.509 format, as highlighted below:

XML document displaying SAML metadata with highlighted certificate information and signature details.

  1. Youā€™ll use this value to create a certificate. Follow these steps:

  1. Copy the full text following <X509Certificate> (highlighted in yellow below):

Highlighted X.509 certificate data in XML format for digital security purposes.

  1. Open Notepad, then paste the copied Certificate text into a new Notepad document.

  2. Paste the following at the beginning then hit Enter to add a line break:

-----BEGIN CERTIFICATE-----

  1. Add another line break at the end, then paste the following on the new line:

-----END CERTIFICATE-----

  1. It should look like the example below. Save the file with a .cer file extension

A close-up of a text Description automatically generated

  1. Save the .cer file in a location that is accessible by the FX application.

  2. Open the FOIAXpress Database Configuration tool, select the Sign-On Mode tab, then paste the file name (if placed within the application folder) or full path in the Partner Certificate File field:

Configuration screen for SAML SSO with highlighted Partner Certificate File field.

  1. Update the Assertion Service URL. If you are upgrading from version 11.5.4 or under, you need to update the assertion URL after upgrade. See Section 1.2.1 in the v11.7.0 Release Notes for details.

  2. You must request that the customerā€™s SAML ID provider update the assertion URL on their end. The ID provider team can update the assertion URL on their end during or after an upgrade.

Note: If you see the following error message, it is likely due to an incorrect identity providerā€™s certificate.

3 FOIAXpress Configuration for SAML SSO

To complete the FOIAXpress Configuration for SAML SSO:

  1. Login to the FOIAXpress application server.

  2. Run the Database Configuration tool as an Administrator.

  3. Configure the database connection. If you have already configured the database connection, then save the existing database setting.

  4. Click the Sign-On Mode tab at the top menu bar and select SAML SSO.

  5. Enter the Service Provider details for the relying party identifier. These are shown below and described in the following table:

Form fields for Service Provider details including Entity ID and Certificate information.

Field

Description

Entity ID

Enter the Service Provider Entity ID. This can be defined by an FOIAXpress team lead using one of two approaches:

  • We recommend using FX application domain name or domain name. Make sure to avoid certain characters in the entity ID. The URL should not include a port number, query string, fragment identifier, ampersand (&), or URN. The host part of the URL should not contain the substring "www".

  • Use a unique name. The entity ID should be a globally unique name that identifies the service provider in the SSO process. You can use OrganizationApplicationNameEnvironmentType format. i.e., casepointFOIAXpressProd, casepointFOIAXpressTest, casepointFOIAXpressProd, casepointFOIAXpressTest

Assertion Service URL

Enter the URL below, replacing <<DNS>> with your

organizationā€™s FOIAXpress URL: https://<<DNS>>/FOIAXpress/AssertionConsumerService.aspx For example, if your FOIAXpress application URL is: https://myDns/FOIAXpress

Then the assertion URL value for this field would be: https://myDns/FOIAXpress/AssertionConsumerService.aspx

Note: The Assertion Service URL was updated for v11.7.0. If you are upgrading from a version below v11.7.0, you must update the value for Service Provider Assertion URL in SAML Configuration through a database configuration tool. You must also inform your Identity Provider about this change so they can record the updated assertion URL. See Section 2 for steps to update the URL

Certificate File

Full file path for Service provider certificate (pfx) file

Field

Description

Certificate Password

Password of the Service provider certificate (if you enter path in the Certificate File field)

Certificate Serial Number

Serial Number of the service provider

NOTE: You need to provide either certificate file or certificateā€™s serial number. Make sure the application has permission to read private key from the certificate file.

  1. Enter the Identity Provider values (SAML SSO Identity Provider) in the corresponding fields. These are shown below and described in the following table:

Form fields for configuring an Identity Provider with service URLs and certificate file.

Field

Description

Partner Identity Provider

Partner Identity Providerā€™s name/entityId (Required)

Single Sign On Service URL

Single Sign On Service URL (Required)

Single Logout Service URL

This is an optional field. If you configure the URL, the application will redirect to this configured URL once user signs out or userā€™s session times out.

Partner Certificate File

Full path for Identity Provider provided certificate (Required)

  1. Select the remaining checkboxes as needed depending on your configuration requirements.

A screenshot of a computer Description automatically generated

  1. Click Save.

  2. Copy and paste the .CER file into the configured location Follow steps 3-5 in the Update Assertion URL section to configure the a partner certificate file.

4 Service Provider Metadata File

4.1 Generate Service Provider Metadata File

Follow the steps below to generate the FX Service Provider Metadata file:

  1. First, have the pfx file ready (as used in the previous section).

  2. Get the public key (.cer file) from pfx in base64 format (you can use OpenSSL, or do it from Certificate Management Console using the steps in the next section)

  3. If you are preparing metadata for existing configuration then you will need to collect the following details from your current configuration:

    1. Assertion URL (if you upgrading from v11.5.4 or earlier, then the assertion URL has changed)

    2. Service Provider Name (first text field)

    3. Want Authentication Request Signed (checkbox)

    4. Want Assertion Signed (checkbox)

  4. Go to the SAML Service Provider (SP) Metadata XML Builder and provide your information to generate an XML file.

  5. Provide the generated XML file to your Identity Provider.

4.2 Retrieve .cer via Certificate Management Console

Follow these steps to retrieve a .cer file from pfx through the Certificate Management Console:

NOTE: This requires that the pfx is installed in the system.

  1. Go to Certificate Management Console

  2. Select the cert (pfx) then right click and select All Tasks > Export.

  3. Select Public key only (no private key).

  4. Select Base 64 format.

Related articles