SAML SSO Login

  • Updated on Mar 28, 2026
  • Published on Jan 29, 2026
  • 6 minute(s) read
Prev Next

About SAML Login and Proof of Identity Configuration

The ATIPXpress SAML Login Configuration manual was created to assist administrators when configuring the SAML SSO Login. It covers the following information:

  • Sign On Mode Overview

  • Updating the Assertion URL (new for v11.7.0 and up)

  • ATIPXpress Configuration for SAML SSO.

  • Retrieving the Service Provider Metadata File

Sign On Mode Overview

You can now configure sign on modes for ATIPXpress directly from the Administration folder. Navigate to ATIPXpress Administration, then Security > Sign On Mode.

The Sign On Mode page allows you to configure how you authenticate into ATIPXpress. When enabled, SAML-based Single Sign-On (SSO) lets you sign in using your organization’s identity provider instead of a separate ATIPXpress account. This configuration typically requires coordination with your IT or identity management team.

Select SAML from the Sign On Mode drop-down menu.

When you choose SAML SSO, you must enter details for both the Service Provider (ATIPXpress) and the Identity Provider (your organization’s authentication system).

NOTE: Double-check all details to avoid being locked out of the system. If you encounter issues, please contact Casepoint Support.

Before proceeding, let’s go through the steps to update the Assertion URL.

Update Assertion URL

Follow the steps in this section to update Assertion URL in ATIPXpress . This is required when upgrading to from any version below 11.7.2.

NOTE: If the application is already on 11.7.2 or up, an assertion URL update is not required

  1. The customer must first obtain and provide their Identity Provider Metadata from their identity provider. This will be provided as either an XML file or URL.

  2. Next, we’ll confirm or update the Identity Provider Certificate in SAML Configuration. This must be confirmed otherwise, SAML authentication will fail. Open the provided metadata file and locate for the signing cert in x.509 format, as highlighted below:

XML document displaying SAML metadata with highlighted certificate information and signature details.

  1. You’ll use this value to create a certificate. Follow these steps:

  1. Copy the full text following <X509Certificate> (highlighted in yellow below):

Highlighted X.509 certificate data in XML format for digital security purposes.

  1. Open Notepad, then paste the copied Certificate text into a new Notepad document.

  2. Paste the following at the beginning then hit Enter to add a line break:

-----BEGIN CERTIFICATE-----

  1. Add another line break at the end, then paste the following on the new line:

-----END CERTIFICATE-----

  1. It should look like the example below. Save the file with a .cer file extension

A close-up of a text Description automatically generated

  1. Save the .cer file in a location that is accessible by the ATIPXpress application.

  2. Open the ATIPXpress Database Configuration tool, select the Sign-On Mode tab, then paste the file name (if placed within the application folder) or full path in the Partner Certificate File field:

Configuration screen for SAML SSO with highlighted Partner Certificate File field.

  1. Update the Assertion Service URL. If you are upgrading from version 11.5.4 or under, you need to update the assertion URL after upgrade. See Section 1.2.1 in the v11.7.1 Release Notes for details.

  2. You must request that the customer’s SAML ID provider update the assertion URL on their end. The ID provider team can update the assertion URL on their end during or after an upgrade.

Note: If you see the following error message, it is likely due to an incorrect identity provider’s certificate.

ATIPXpress Configuration for SAML SSO

To complete the ATIPXpress Configuration for SAML SSO:

  1. Login to the ATIPXpress application server.

  2. Run the Database Configuration tool as an Administrator.

  3. Configure the database connection. If you have already configured the database connection, then save the existing database setting.

  4. Navigate to Sign On Mode and select SAML as described in Sign On Mode Overview.

Service Provider Details

  1. Enter the Service Provider details for the relying party identifier. These are shown below and described in the following table:

Field

Description

Issuer

Enter the ATIPXpress login URL that your identity provider uses to identify the application. This can be defined by an ATIPXpress team lead using one of two approaches:

  • We recommend using ATIPXpress application domain name or domain name. Make sure to avoid certain characters in the entity ID (Issuer). The URL should not include a port number, query string, fragment identifier, ampersand (&), or URN. The host part of the URL should not contain the substring "www".

  • Use a unique name. The entity ID should be a globally unique name that identifies the service provider in the SSO process. You can use OrganizationApplicationNameEnvironmentType format. i.e., casepointATIPXpress Prod, casepointATIPXpress Test, casepointATIPXpress Prod, casepointATIPXpress Test

Assertion Service URL

Enter the URL below, replacing <<DNS>> with your organization’s ATIPXpress URL: https://<<DNS>>/ATIPXpress /AssertionConsumerService.aspx For example, if your ATIPXpress application URL is: https://myDns/ATIPXpress

Then the assertion URL value for this field would be: https://myDns/ATIPXpress/AssertionConsumerService.aspx

The Assertion Service URL was updated for v11.7.0. If you are upgrading from a version below v11.7.0, you must update the value for Service Provider Assertion URL in SAML Configuration through a database configuration tool. You must also inform your Identity Provider about this change so they can record the updated assertion URL. See Update Assertion URL steps to update the URL.

Signature Certificate

It provides the full file path for Service Provider certificate (pfx) file. ATIPXpress uses it to sign outgoing SAML requests to your identity provider.  

You can upload a certificate and optionally enter a certificate password.  

Encryption Certificate

If your identity provider requires encrypted assertions, upload an encryption certificate and password.

Certificate Password

Password of the Service provider certificate (if you enter path in the Signature Certificate field). It is used to validate the certificates exchanged between systems.

Certificate Serial Number

Serial Number of the service provider. It is used to validate the certificates exchanged between systems.

NOTE: You need to provide either Signature Certificate or Certificate Serial Number. Make sure the application has permission to read private key from the certificate file.

Identity Provider Settings

  1. Enter the Identity Provider values (SAML SSO Identity Provider) in the corresponding fields. These are shown below and described in the following table:

Field

Description

IDP Entity ID / Issuer URL

The unique identifier for your identity provider.

SAML SSO URL

The endpoint ATIPXpress redirects you to for signing in.

SAML SSO URL Binding Type

Determines how messages are transmitted (for example, HTTP POST).

SAML SLO URL

SAML SLO URL Binding Type

Used if single logout is configured by your organization.

Name ID Format

Specifies the identifier format sent by your identity provider.

Authentication Context

Authentication Context Comparison

Allows you to specify required authentication strength if your organization requires it.  

Certificates and Signing Options

If signing or encryption is required by your organization, you must enter the Signature Certificate Text and Encryption Certificate Text, respectively. ATIPXpress does not enforce which signing or encryption requirements you must choose. These depend entirely on your identity provider’s policies.

You may upload an  and specify whether authentication requests, responses, and assertions must be signed or encrypted.

NOTE: Expiration dates display after you save changes. If a certificate cannot be read or has expired, you must upload a valid one before SSO can function. Admin users receive an automated email notification 30 days before certificate expiration.

  1. Select the remaining checkboxes as needed depending on your configuration requirements.

  • Sign Authentication Request

  • Want SAML Response Signed

  • Want Assertion Signed

  • Want Assertion Encrypted

  • Force Authentication (prompts your identity provider to re-challenge at every login)

  • Sign Logout Request

  • Sign Logout Response

NOTE: Force authentication may increase login time because your identity provider will not reuse an existing session.

  1. Click Save.

  2. Copy and paste the .CER file into the configured location.

NOTE: If you cannot log in after saving SAML settings, immediately contact your ATIPXpress support representative or your organization’s administrator. You may need to revert to a safe configuration.

Service Provider Metadata File

Generate Service Provider Metadata File

Follow the steps below to generate the ATIPXpress Service Provider Metadata file:

  1. First, have the pfx file ready (as used in the previous section).

  2. Get the public key (.cer file) from pfx in base64 format (you can use OpenSSL, or do it from Certificate Management Console using the steps in the next section)

  3. If you are preparing metadata for existing configuration then you will need to collect the following details from your current configuration:

    1. Assertion URL (if you upgrading from v11.5.4 or earlier, then the assertion URL has changed)

    2. Service Provider Name (first text field)

    3. Want Authentication Request Signed (checkbox)

    4. Want Assertion Signed (checkbox)

  4. Go to the SAML Service Provider (SP) Metadata XML Builder and provide your information to generate an XML file.

  5. Provide the generated XML file to your Identity Provider.

Retrieve .cer via Certificate Management Console

Follow these steps to retrieve a .cer file from pfx through the Certificate Management Console:

NOTE: This requires that the pfx is installed in the system.

  1. Go to Certificate Management Console

  2. Select the cert (pfx) then right click and select All Tasks > Export.

  3. Select Public key only (no private key).

  4. Select Base 64 format.

Related articles