SAML 2.0 SSO

Enterprise

Federate RedFox Bastion with any SAML 2.0 identity provider for enterprise-grade Single Sign-On.

Supported identity providers

Microsoft Entra ID

Enterprise Application with SAML SSO. Automatic metadata import via URL.

Okta

SAML 2.0 application integration. Group push and attribute statements.

Google Workspace

Custom SAML app in Google Admin. Attribute mapping for groups and roles.

Any SAML 2.0 IdP

ADFS, PingIdentity, OneLogin, Keycloak, Shibboleth — any SP-initiated SAML 2.0 flow.

Configuration steps

  1. Enable SAML — Navigate to Settings → Authentication → SAML 2.0 and toggle the feature on.
  2. Import IdP metadata — Paste the IdP metadata URL or upload the XML file. RedFox extracts the SSO URL, SLO URL, and signing certificate automatically.
  3. Configure SP metadata — Download the RedFox SP metadata XML and import it into your IdP. Set the ACS URL to https://your-host/auth/saml/acs.
  4. Map attributes — Map IdP attributes to RedFox fields: email, displayName, groups. Custom attribute mappings supported.
  5. Group sync — Map IdP groups to RedFox RBAC roles. Users inherit target permissions from their group membership.
  6. Test — Use the "Test SSO" button to validate the flow before enforcing SAML for all users.

Multi-IdP support

RedFox supports multiple SAML identity providers simultaneously. Users see an IdP selector on the login page. Useful for organizations with separate IdPs per business unit or for MSPs managing multiple client tenants.

Security

  • SAML assertions are validated against the IdP signing certificate (SHA-256)
  • Assertion consumer service enforces InResponseTo and NotOnOrAfter checks
  • Replay protection via one-time assertion IDs
  • Encrypted assertions supported (AES-256-CBC + RSA-OAEP)
  • Single Logout (SLO) supported for clean session termination

Need help with SAML configuration? Contact [email protected]. For Enterprise licensing, reach out to [email protected].