Overview
HostedScan supports SAML 2.0 Single Sign-On (SSO) integration, allowing organizations to authenticate users through their existing Identity Provider (IdP). This guide covers how to configure HostedScan as a Service Provider (SP) with your SAML IdP.
SAML SSO enables your organization to:
- Centralize user authentication through your existing IdP
- Enforce security policies defined in your IdP
- Simplify user management by leveraging existing user directories
- Maintain consistent access controls across all applications
SAML Authentication Flow
1. User Access
User → HostedScan
2. SAML Redirect
HostedScan → IdP (with SAML AuthnRequest)
3. IdP Authentication
User → IdP (login with credentials)
4. SAML Response
IdP → HostedScan (signed SAML assertion)
5. User Session
HostedScan → User (authenticated session)
Key Points:
- All SAML assertions and requests must be digitally signed
- User email address is used as the unique identifier
- HostedScan automatically creates/updates user accounts
Prerequisites
- Premium Plan: SAML SSO is available on the Premium plan
- SAML 2.0 IdP: Your organization must have a SAML 2.0 compatible Identity Provider
- Administrative Access: You need admin access to both HostedScan and your IdP
Security Requirements
Your IdP MUST be configured with the following security settings:
-
Sign Assertions: ✅ Required
- All SAML assertions must be digitally signed
- Ensures assertion integrity and authenticity
-
Sign Responses: ✅ Required
- All SAML responses must be digitally signed
- Prevents response tampering and replay attacks
Troubleshooting
Common Issues
Authentication Fails
Symptoms: Users cannot log in via SAML Solutions:
- Verify IdP metadata is correctly configured
- Check that both assertions and requests are being signed
- Ensure X.509 certificate is valid and properly configured
- Verify attribute mapping is correct
Certificate Errors
Symptoms: SAML authentication fails with certificate errors Solutions:
- Verify IdP certificate is not expired
- Check certificate format (should be X.509)
- Ensure certificate is properly imported in both systems
- Validate certificate chain if using intermediate certificates
Debug Tips
To troubleshoot SAML issues:
- Enable Debug Logging: Check your IdP logs for detailed SAML transaction information
- Browser Developer Tools: Use network tab to inspect SAML requests/responses
- HostedScan Logs: Contact support for server-side SAML transaction logs
Technical Specifications
Supported SAML Features
- SAML Version: 2.0
- Bindings: HTTP-POST, HTTP-Redirect
- Name ID Formats:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
(Primary)urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Signature Algorithms: SHA-1
Endpoints
- ACS URL:
https://app.hostedscan.com/auth/saml/{organization_id}/callback
- SP Entity ID:
https://app.hostedscan.com
- Metadata URL:
https://app.hostedscan.com/auth/saml/{organization_id}/metadata