SSO with SAML
This guide walks you through configuring Single Sign-On (SSO) for the API7 Dashboard using the SAML 2.0 protocol. SAML SSO enables users to authenticate through your corporate identity provider (IdP) and access the dashboard without maintaining a separate account.
How It Works
- The user selects the SAML login option on the dashboard login page.
- The dashboard sends a SAML AuthnRequest to the IdP.
- After authentication, the IdP POSTs a SAMLResponse to the dashboard's Assertion Consumer Service (ACS) URL.
- The dashboard validates the SAML assertion, extracts user attributes, and creates or updates the user account.
- If role and permission boundary mappings are configured, they are applied on each login.
Prerequisites
Before you begin, ensure you have:
- A running API7 Gateway deployment with dashboard access.
- A SAML 2.0-compliant identity provider (e.g., Microsoft Entra ID, Okta, Ping Identity).
- The following information from your IdP:
- IdP Metadata URL: The URL that exposes the IdP's SAML metadata XML.
- Attribute names: The claim names for username, email, and any role-related attributes.
Step 1: Create a SAML Login Option
Start by creating the login option in API7 to generate the Service Provider (SP) metadata URLs, which you will need to configure your IdP.
- In the API7 Dashboard, navigate to Organization > Settings.
- Click Add Login Option.
- Fill in the configuration:
| Field | Description | Example |
|---|---|---|
| Name | Display name shown on the login page as "Login with {Name}" | Corporate SAML |
| Provider | Select SAML | — |
| Identity Provider Metadata URL | URL to the IdP's SAML metadata XML | https://login.microsoftonline.com/{tenant}/federationmetadata/... |
| Service Provider Root URL | URL users use to access the dashboard | https://dashboard.example.com |
| Entity ID | Unique identifier for the SP in the SAML federation. Recommended: use the dashboard URL. | https://dashboard.example.com |
| Attributes Mapping | Map SAML assertion attributes to API7 user fields | See provider-specific sections below |
| Terminate IdP Session on Logout | Whether to redirect to the IdP for Single Logout (SLO) | false |
- Click Add.
After creation, the login option displays the following auto-generated URLs:
| URL | Purpose |
|---|---|
| ACS URL | https://<DASHBOARD_URL>/api/saml/<LOGIN_OPTION_ID>/acs — The endpoint where the IdP posts SAML responses |
| SLO URL | https://<DASHBOARD_URL>/api/saml/<LOGIN_OPTION_ID>/slo — The endpoint for Single Logout callbacks |
| SP Metadata URL | https://<DASHBOARD_URL>/api/saml/<LOGIN_OPTION_ID>/metadata — SP metadata XML for import into the IdP |
API7 auto-generates a self-signed certificate and private key for SAML request signing if you do not provide your own. You can optionally supply a custom SP certificate and private key in the login option configuration.
Step 2: Configure Your IdP
Register the API7 Dashboard as a Service Provider in your identity provider using the ACS URL and Entity ID from Step 1.
See the Provider-Specific Configuration section below for detailed instructions.
Step 3: Verify SSO Login
- Sign out of the API7 Dashboard.
- On the login page, you should see a new option: Login with {Name}.
- Click it to authenticate through your IdP.
- After successful authentication, you are redirected back to the dashboard.
The SSO user appears under Organization > Users. By default, the user has no roles assigned.
Deleting a user in the Dashboard removes their roles and permission boundaries, but the user can still log in again as a new user. To fully revoke access, remove the user from the IdP.
Configure Role Mapping
Role mapping automatically assigns API7 roles to SSO users based on SAML assertion attributes. Configure your IdP to include role-related attributes in the SAML response, then set up mapping rules in API7.
Automatic role mappings take precedence over manual role assignments. When mappings are active, any manual changes are overwritten on the user's next login.
Enable Role Mapping
- In the API7 Dashboard, navigate to Organization > Settings.
- Select your SAML login option.
- Enable Role Mapping.
- Configure the mapping rule:
| Field | Description | Example |
|---|---|---|
| Internal Role | The API7 role to assign | Super Admin |
| Role Attribute | JSONPath to the SAML attribute | $.Role |
| Operation | Comparison method: Exact Match, Contains String, Exact Match in Array, or Contains String in Array | Exact Match |
| Role Value | Expected attribute value | admin |
- Click Enable.
Permission Boundary Mapping
Permission boundary mapping works the same way as role mapping but assigns permission policies as boundaries instead of attaching roles. Enable Permission Boundary Mapping in the login option settings and configure the mapping rules with the same attribute-matching approach.
Provider-Specific Configuration
Microsoft Entra ID (Azure AD)
IdP Setup
- In the Azure portal, navigate to Microsoft Entra ID > Enterprise applications.
- Click New application > Create your own application:
- Enter a name (e.g.,
API7 Dashboard). - Select Integrate any other application you don't find in the gallery (Non-gallery).
- Enter a name (e.g.,
- Under Users and groups, add the users and groups that should have SSO access to API7.
- Under Single sign-on, select SAML and configure:
- Identifier (Entity ID): Use the same value as the Entity ID in API7 (e.g.,
https://dashboard.example.com). - Reply URL (ACS URL): Use the ACS URL from API7 (e.g.,
https://dashboard.example.com/api/saml/<LOGIN_OPTION_ID>/acs).
- Identifier (Entity ID): Use the same value as the Entity ID in API7 (e.g.,
- In the SAML Signing Certificate section, find the App Federation Metadata URL and use it as the Identity Provider Metadata URL in API7.
Attribute Mapping Configuration
Azure AD uses full URI-style claim names by default:
| API7 Field | SAML Claim Name |
|---|---|
username | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Role Mapping
- Under App roles, create roles (e.g.,
Admin). - Under Enterprise applications > Users and groups, assign the role to users.
- In Azure, navigate to Single sign-on > Attributes & Claims and add a claim that includes the assigned role (e.g., claim name
Role). - In API7, use the mapping rule: Attribute
$.Role, OperationExact Match, ValueAdmin.
Okta
IdP Setup
- In the Okta Admin Console, navigate to Applications > Applications.
- Click Create App Integration and select SAML 2.0.
- Configure the SAML settings:
- Single sign-on URL: Use the ACS URL from API7 (e.g.,
https://dashboard.example.com/api/saml/<LOGIN_OPTION_ID>/acs). - Audience URI (SP Entity ID): Use the same Entity ID as in API7 (e.g.,
https://dashboard.example.com). - Name ID format:
EmailAddressorUnspecified.
- Single sign-on URL: Use the ACS URL from API7 (e.g.,
- Under Attribute Statements, configure:
username→user.loginemail→user.emailname→user.firstName + " " + user.lastName
- After creating the app, find the Identity Provider metadata URL under the Sign On tab.
- Assign users to the application under the Assignments tab.
Attribute Mapping Configuration��
| API7 Field | SAML Attribute |
|---|---|
username | username |
email | email |
name | name |
Role Mapping
- Under Attribute Statements, add a
roleattribute (e.g., mapped to a user profile attribute or group membership). - In API7, use the mapping rule: Attribute
$.role, OperationExact Match, Valueadmin.
Delete a Login Option
Deleting a login option removes all dashboard users associated with that option.
- Navigate to Organization > Users and verify which users are associated with this login option.
- Navigate to Organization > Settings.
- Click Delete on the login option.
At least one login option must remain enabled at all times. You cannot delete or disable the last remaining enabled login option.