SAML SSO Login

Updated
  • Updated on Mar 5, 2026
  • Published on Jan 29, 2026
  • 5 minute(s) read
Prev Next

About SAML Login and Proof of Identity Configuration

The ATIPXpress SAML Login Configuration manual was created to assist administrators when configuring the SAML SSO Login. It covers the following information:  

  1. Updating the Assertion URL (new for v11.7.0 and up)

  2. ATIPXpress Configuration for SAML SSO.

  3. Retrieving the Service Provider Metadata File

Update Assertion URL

Follow the steps in this section to update Assertion URL in AX. This is required when upgrading to from any version below 11.7.2.

NOTE: If the application is already on 11.7.2 or up, an assertion URL update is not required

  1. The customer must first obtain and provide their Identity Provider Metadata from their identity provider. This just be provided as either an XML file or URL.

  2. Next, weā€™ll confirm or update the Identity Provider Certificate in SAML Configuration. This must be confirmed otherwise SAML authentication will fail. Open the provided metadata file and locate for the signing cert in x.509 format, as highlighted below:

 

  1. Youā€™ll use this value to create a certificate. Follow these steps:  

System Data Services

  1. Copy the full text following <X509Certificate> (highlighted in yellow below):

 

  1. Open Notepad, then paste the copied Certificate text into a new Notepad document. Paste the following at the beginning then hit Enter to add a line break:  

-----BEGIN CERTIFICATE-----

  1. Add another line break at the end, then paste the following on the new line:

-----END CERTIFICATE-----

  1. It should look like the example below. Save the file with a .cer file extension

 

  1. Save the .cer file in a location that is accessible by the AX application.  

  2. Open the ATIPXpress Database Configuration tool, select the Sign-On Mode tab, then paste the file name (if placed within the application folder) or full path in the Partner Certificate File field:

A screenshot of a computer Description automatically generated  

  1. Update the Assertion Service URL. If you are upgrading from version 11.5.4 or under, you need to update the assertion URL after upgrade. See Section 1.2.1 in the v11.7.0 Release Notes for details.

  2. You must request that the customerā€™s SAML ID provider update the assertion URL on their end. The ID provider team can update the assertion URL on their end during or after an upgrade.

NOTE: If you see the following error message, it is likely due to an incorrect identity providerā€™s certificate.

ATIPXpress Configuration for SAML SSO

To complete the ATIPXpress Configuration for SAML SSO:

  1. Login to the ATIPXpress application server.

  2. Run the Database Configuration tool as an Administrator.

  3. Configure the database connection. If you have already configured the database connection, then save the existing database setting.

  4. Click the Sign-On Mode tab at the top menu bar and select SAML SSO.

 

  1. Enter the Service Provider details for the relying party identifier. These are shown below and described in the following table:

 

Field

Description

Entity ID

Enter the Service Provider Entity ID. This can be defined by an ATIPXpress team lead using one of two approaches:

  • We recommend using AX application domain name or domain name. Make sure to avoid certain characters in the entity ID. The URL should not include a port number, query string, fragment identifier, ampersand (&), or URN. The host part of the URL should not contain the substring "www".  

  • Use a unique name. The entity ID should be a globally unique name that identifies the service provider in the SSO process. You can use OrganizationApplicationNameEnvironmentType

format. i.e., casepointATIPXpressProd,

casepointATIPXpressTest, casepointATIPXpressProd,

casepointATIPXpressTest

Assertion Service URL

Enter the URL below, replacing <<DNS>> with your organizationā€™s ATIPXpress URL:

https://<<DNS>>/ATIPXpress/AssertionConsumerService.aspx For example, if your ATIPXpress application URL is:

https://myDns/ATIPXpress

Then the assertion URL value for this field would be:

https://myDns/ATIPXpress/AssertionConsumerService.aspx

Certificate File

Full file path for Service provider certificate (pfx) file

NOTE: The Assertion Service URL was updated for v11.7.0. If you are upgrading from a version below v11.7.0, you must update the value for Service Provider Assertion URL in SAML Configuration through a database configuration tool. You must also inform your Identity Provider about this change so they can record the updated assertion URL. See Section 2 for steps to update the URL

Field

Description

Certificate Password

Password of the Service provider certificate (if you enter path in the Certificate File field)

Certificate Serial

Number

Serial Number of the service provider

NOTE: You need to provide either certificate file or certificateā€™s serial number. Make sure the application has permission to read private key from the certificate file.

  1. Enter the Identity Provider values (SAML SSO Identity Provider) in the corresponding fields. These are shown below and described in the following table:

 

Field

Description

Partner Identity Provider

Partner Identity Providerā€™s name/entityId (Required)

Single Sign On Service URL

Single Sign On Service URL (Required)

Single Logout Service URL

This is an optional field. If you configure the URL, the application will redirect to this configured URL once user signs out or userā€™s session times out.

Partner Certificate File

Full path for Identity Provider provided certificate (Required)

  1. Select the remaining checkboxes as needed depending on your configuration requirements.

 

  1. Click Save.  

  2. Copy and paste the .CER file into the configured location Follow steps 3-5 in the Update Assertion URL section to configure the a partner certificate file.

Service Provider Metadata File

Generate Service Provider Metadata File

Follow the steps below to generate the AX Service Provider Metadata file:

  1. First, have the pfx file ready (as used in the previous section).

  2. Get the public key (.cer file) from pfx in base64 format (you can use OpenSSL, or do it from Certificate Management Console using the steps in the next section)

  3. If you are preparing metadata for existing configuration then you will need to collect the following details from your current configuration:

    1. Assertion URL (if you upgrading from v11.5.4 or earlier, then the assertion URL has changed)

    2. Service Provider Name (first text field)

    3. Want Authentication Request Signed (checkbox)

    4. Want Assertion Signed (checkbox)

  4. Go to the SAML Service Provider (SP) Metadata XML Builder and provide your information to generate an XML file.

  5. Provide the generated XML file to your Identity Provider.

Retrieve .cer via Certificate Management Console

Follow these steps to retrieve a .cer file from pfx through the Certificate Management Console:

NOTE: This requires that the pfx is installed in the system.  

  1. Go to Certificate Management Console ->  

  2. Select the cert (pfx) then right click and select All Tasks > Export.

  3. Select Public key only (no private key).  

  4. Select Base 64 format.

Related articles