- Home
- Identity Platform
- Documentation
- Guides
This document shows you how to use Identity Platform to sign in users with aSecurity Assertion Markup Language (SAML) 2.0 provider.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Go to project selector
-
Make sure that billing is enabled for your Google Cloud project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Go to project selector
-
Make sure that billing is enabled for your Google Cloud project.
- Enable Identity Platform, and add the Client SDK to your app. See theQuickstart tolearn how.
Configuring the provider
Go to the Identity Providers page in the Google Cloud console.
Go to the Identity Providers pageClick Add a Provider, and select SAML from the list.
Enter the following details:
The Name of the provider. This can be the same as the provider ID,or a custom name. If you enter a custom name, click Edit next toProvider ID to specify the ID (which must begin with
saml.
).The provider's Entity ID.
The provider's SAML SSO URL.
The certificate used for token-signing on the provider. Make sure toinclude the start and end strings. For example:
-----BEGIN CERTIFICATE-----MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czEL...LEzc1JwEGQQVDYQCwsQMSBDAF0QAB0w9GikhqkgBNADABIgABIwAgOdACCjaCIIM-----END CERTIFICATE-----
Under Service provider, enter the Entity ID of your app. This istypically your app's URL. On your SAML identity provider, this isreferred to as the audience.
Add your app to the list of Authorized Domains. For example, if yourapp's sign-in URL is
https://example.com/login
, addexample.com
.If necessary, customize the callback URL for your app. This iscommonly called the Assertion Consumer Service (ACS) URL by SAMLidentity providers.
Using the default callback URL reduces the complexity of validating the SAMLresponse. If you customize this flow, make sure the Identity Platformcallback URL for your project is configured on your SAML identity provider.This usually looks something like
https://[PROJECT-ID].firebaseapp.com/__/auth/handler
.See Customizing an authentication handlerto learn more.Click Save.
Provider required elements
Identity Platform expects the <saml:Subject>
and <saml:NameID>
elements in responses from the provider.If you don't define values for these elements when configuring your provider, the SAML assertion fails.
Signing requests
You can increase the security of your authentication requests by signing them.
To sign requests, first enable signed requests for your identity provider bycalling inboundSamlConfigs.patch(),and setting idp_config.sign_request
to true
:
REST
Before using any of the request data, make the following replacements:
project-id
: the ID for the Google Cloud projectprovider-id
: the SAML provider ID
HTTP method and URL:
PATCH https://identitytoolkit.googleapis.com/admin/v2/projects/project-id/inboundSamlConfigs/provider-id?updateMask=idpConfig.signRequest
Request JSON body:
{ "idp_config": { "sign_request": true }}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file named request.json
, and execute the following command:
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "x-goog-user-project: project-id" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://identitytoolkit.googleapis.com/admin/v2/projects/project-id/inboundSamlConfigs/provider-id?updateMask=idpConfig.signRequest"
PowerShell (Windows)
Save the request body in a file named request.json
, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "x-goog-user-project" = "project-id" }Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://identitytoolkit.googleapis.com/admin/v2/projects/project-id/inboundSamlConfigs/provider-id?updateMask=idpConfig.signRequest" | Select-Object -Expand Content
APIs Explorer (browser)
Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.
You must use the REST API to enable signed requests; using theGoogle Cloud console or Google Cloud CLI is not supported.
The response is anInboundSamlConfigobject, which includes an array of SpCertificate.Configure the value of the X509 certificate with your SAML identity provider soit can validate the signature of your requests.
Signing in users
When you sign a user in, the Client SDK handles the authenticationhandshake, then returns ID tokens containing the SAML attributes in theirpayloads. To sign a user in and get attributes from the SAML provider:
Create a SAMLAuthProviderinstance with the provider ID you configured inthe previous section. The provider ID must start with
saml.
.See AlsoSet up your own custom SAML appWeb version 9
import { SAMLAuthProvider } from "firebase/auth";const provider = new SAMLAuthProvider("saml.myProvider");
Web version 8
const provider = new firebase.auth.SAMLAuthProvider('saml.myProvider');
Start the sign in flow. You can choose to either use a popup or a redirect.
Popup
Web version 9
import { SAMLAuthProvider } from "firebase/auth";const provider = new SAMLAuthProvider("saml.myProvider");
Web version 8
const provider = new firebase.auth.SAMLAuthProvider('saml.myProvider');
Redirect
To redirect to a sign-in page, call
signInWithRedirect()
:Web version 9
import { getAuth, signInWithRedirect } from "firebase/auth";const auth = getAuth();signInWithRedirect(auth, provider);
Web version 8
firebase.auth().signInWithRedirect(provider);
Then, call
getRedirectResult()
to get the results when the user returns to your app:Web version 9
import { getAuth, getRedirectResult, SAMLAuthProvider } from "firebase/auth";const auth = getAuth();getRedirectResult(auth) .then((result) => { // User is signed in. // Provider data available from the result.user.getIdToken() // or from result.user.providerData }) .catch((error) => { // Handle Errors here. const errorCode = error.code; const errorMessage = error.message; // The email of the user's account used. const email = error.customData.email; // The AuthCredential type that was used. const credential = SAMLAuthProvider.credentialFromError(error); // Handle / display error. // ... });
Web version 8
firebase.auth().getRedirectResult() .then((result) => { // User is signed in. // Provider data available in result.additionalUserInfo.profile, // or from the user's ID token obtained from result.user.getIdToken() // as an object in the firebase.sign_in_attributes custom claim // This is also available from result.user.getIdTokenResult() // idTokenResult.claims.firebase.sign_in_attributes. }).catch((error) => { // Handle / display error. // ... });
Retrieve the user attributes associated with the SAML provider from the IDtoken using the
firebase.sign_in_attributes
claim. Make sure to verify theID token using the Admin SDK when you send it to your server.The ID token includes the user's email address only if it is provided in the
NameID
attribute of the SAML assertion from the identity provider:<Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@email.com</NameID></Subject>
This is populated in the Firebase-issued ID token and in the UserInfo object.
Currently, only service-provider initiated SAML flows from the Client SDKare supported.
Linking user accounts
If a user has already signed in to your app using a different method (such as email/password), you can link their existing account to the SAML provider using linkWithPopup()
or linkWithRedirect()
:For example we can link with a Google account:
Web version 9
import { getAuth, linkWithPopup, GoogleAuthProvider } from "firebase/auth";const provider = new GoogleAuthProvider();const auth = getAuth();linkWithPopup(auth.currentUser, provider).then((result) => { // Accounts successfully linked. const credential = GoogleAuthProvider.credentialFromResult(result); const user = result.user; // ...}).catch((error) => { // Handle Errors here. // ...});
Web version 8
auth.currentUser.linkWithPopup(provider).then((result) => { // Accounts successfully linked. var credential = result.credential; var user = result.user; // ...}).catch((error) => { // Handle Errors here. // ...});
What's next
- Signing in users with OIDC
- Showing a custom domain during sign in
- Managing OIDC and SAML providers programmatically
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-06-20 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]