You can now configure sign on modes for FOIAXpress directly from the Administration folder. Navigate to FOIAXpress Administration, then Security > Sign On Mode.
The Sign On Mode page allows you to configure how you authenticate into FOIAXpress. When enabled, SAML-based Single Sign-On (SSO) lets you sign in using your organization’s identity provider instead of a separate FOIAXpress account. This configuration typically requires coordination with your IT or identity management team.
Select SAML from the Sign On Mode drop-down menu.
When you choose SAML SSO, a guided step-by-step wizard opens beneath the drop-down. The wizard walks you through configuring the Service Provider (ATIPXpress) and the Identity Provider (your organization's authentication system), then lets you review your entries before you save.
SAML SSO Configuration
The SAML SSO configuration is split into the following steps. A step indicator at the top of the page shows your current position and the upcoming steps.
Step 1 — Service Provider
Step 2 — Identity Provider
Step 3 — Review & Save
Use the Next button to advance to the next step and the Previous button to return to a prior step. All field-level validation rules from the previous design still apply on each step.
NOTE: Existing field validation, required field rules, and field dependencies are unchanged. If a required field is empty when you click “Next” or “Save”, the wizard prevents you from continuing and highlights the field that needs your attention.
Service Provider Settings
These settings define how FOIAXpress presents itself to your identity provider. Fill these fields up with the help of your IT Administrator.
Field | Description |
Issuer | The FOIAXpress login URL that your identity provider uses to identify the application. |
Assertion Service URL | The location where your identity provider sends SAML responses after authentication. |
Signature Certificate | The certificate FOIAXpress uses to sign outgoing SAML requests to your identity provider. |
Encryption Certificate | If your identity provider requires encrypted assertions, upload an encryption certificate and password. |
Encryption Certificate Password | Password for the uploaded encryption certificate. Required only if your certificate is password-protected. |
Encryption Certificate Expiration Date | Read-only. Displays after you save the configuration. |
Certificate Serial Number | Used to validate the certificates exchanged between systems. |
Certificate Serial Number and Certificate Thumbprint | These values are used to validate the certificates exchanged between systems. |
When a Signature Certificate is on file, the wizard displays a Click here to download the certificate button at the bottom of the Service Provider step. Use this to download the current Service Provider certificate for your records or to share with your identity provider team.
NOTE: Expiration dates display after you save changes. If a certificate cannot be read or has expired, you must upload a valid one before SSO can function. Admin users receive an automated email notification 30 days before certificate expiration.
When you finish the Service Provider step, click Next to Continue.
Identity Provider Settings
These settings allow FOIAXpress to trust and interpret authentication responses from your identity provider. Fill these fields up with the help of your IT Administrator.
Field | Description |
IDP Entity ID / Issuer URL | The unique identifier for your identity provider. |
SAML SSO URL | The endpoint FOIAXpress redirects you to for signing in. |
SAML SSO URL Binding Type | Determines how messages are transmitted (for example, HTTP POST). |
SAML SLO URL SAML SLO URL Binding Type | Used if single logout is configured by your organization. |
Name ID Format | Specifies the identifier format sent by your identity provider. |
Authentication Context Authentication Context Comparison | Allows you to specify required authentication strength if your organization requires it. |
Certificates and Signing Options
If signing or encryption is required by your organization, you must enter the Signature Certificate Text and Encryption Certificate Text, respectively. FOIAXpress does not enforce which signing or encryption requirements you must choose. These depend entirely on your identity provider’s policies.
You may upload an Identity Provider Certificate and specify whether authentication requests, responses, and assertions must be signed or encrypted.
Field | Description |
|---|---|
Signature Certificate Text | The signature certificate text provided by your identity provider. |
Signature Certificate Text Expiration Date | Read only. Displays after you save the configuration. |
Encryption Certificate Text | The encryption certificate text provided by your identity provider. |
Encryption Certificate Text Expiration Date | Read only. Displays after you save the configuration. |
Identity Provider Certificate | Upload the certificate file (.cer) used by your identity provider. |
IDP Certificate Expiration Date | Read only. Displays after you save the configuration. |
NOTE: Expiration dates display after you save changes. If a certificate cannot be read or has expired, you must upload a valid one before SSO can function. Admin users receive an automated email notification 30 days before certificate expiration.
Additionally, you can control the following behaviors:
Sign Authentication Request
Want SAML Response Signed
Want Assertion Signed
Want Assertion Encrypted
Force Authentication (prompts your identity provider to re-challenge at every login)
Sign Logout Request
Sign Logout Response
NOTE: Force authentication may increase login time because your identity provider will not reuse an existing session.
If you cannot log in after saving SAML settings, immediately contact your FOIAXpress support representative or your organization’s administrator. You may need to revert to a safe configuration.
When you finish the Identity Provider step, click Next to continue. To go back and edit Service Provider details, click Previous.
Review & Save
The Review & Save step displays a read-only summary of every value you entered in the wizard, grouped under Service Provider and Identity Provider headings. Use this step to verify each entry before you save.
If a value is too long to display in full, the wizard shows the value truncated with a Show More link. Click Show More to display the complete value in a pop-up.
If you find an entry that needs to be corrected, click Previous to return to the appropriate step and update the value.
When all entries are correct, click Save to apply the SAML SSO configuration.
NOTE: Double-check all details to avoid being locked out of the system. An incorrect Identity Provider URL, missing certificate, or incompatible binding type can prevent users from signing in.
After You Save
When you click Save, the wizard validates each step and applies to your configuration. After saving:
The wizard remains in edit mode so that you can immediately make additional changes if needed.
Certificate expiration dates are calculated and displayed for the Signature, Encryption, and Identity Provider certificates.
If you refresh the page, the wizard reopens with your saved values pre-filled in edit mode.
Download SAML Certificate
For SaaS deployments, you can download the SAML certificate directly from the Sign On Mode page when a certificate is available. The downloaded certificate is saved in .cer format, which you can then share with your identity provider for integration and configuration.
NOTE: The certificate download option is available only for SaaS clients. If your organization uses an on-premises deployment, contact your system administrator for certificate management.
A Click here to download certificate link appears in the Service Provider Settings section when a SAML certificate is configured. If no certificate is available, this link is not displayed.