SAML SSO Configuration Guide

This guide walks you through setting up a SAML Single Sign-On (SSO) identity provider (IdP) in Directo.

• You have permissions to change Directo system settings
• Administrator access to your Identity Provider (e.g., Microsoft Entra ID, Okta, Google Workspace)
• Your IdP's SAML configuration details (Login URL, Metadata URL)

Navigate to the SAML SSO configuration page in Directo. You will see a list of existing IdP configurations, or an empty list if none have been configured yet.

From the main menu: Settings → Common Settings → SSO Saml Login settings. Or use the search feature.

1. Click the Add new button.
2. You will be taken to the IdP configuration form.

Enter a descriptive name in the Button title field. This is the label that will appear on the SSO login button on the Directo login page (e.g., “Login with Azure AD” or “Company SSO”).

Enter the Login URL (also known as SSO URL or SAML Endpoint) from your Identity Provider. This is the endpoint where Directo sends SAML authentication requests.

Where to find it:

• Microsoft Entra ID: Azure Portal → Enterprise Applications → Your App → Single sign-on → Login URL
• Okta: Applications → Your App → Sign On tab → Identity Provider Single Sign-On URL
• Google Workspace: Admin Console → Apps → Web and mobile apps → Your App → SSO URL

Enter the Logout URL (also known as SLO URL or Single Logout Endpoint). This enables single logout — when a user logs out of Directo, they are also logged out of the IdP session.

Where to find it: Look for “SLO URL”, “Logout URL”, or “Single Logout Endpoint” in the same section as the Login URL in your IdP.

Enter the Metadata URL that points to your IdP's SAML metadata XML document. This URL contains the IdP's signing certificates, endpoints, and other configuration details.

Where to find it:

• Microsoft Entra ID: Azure Portal → Enterprise Applications → Your App → Single sign-on → App Federation Metadata Url
• Okta: Applications → Your App → Sign On tab → Metadata URL
• Google Workspace: Admin Console → Apps → Web and mobile apps → Your App → Download metadata (use the URL, not the file)

(Azure SSO pictured above)

Under SAML Name ID Mapping, select how the IdP identifies users:

• Email — The IdP sends the user's email address as the Name ID. Directo matches this to the user's email in the system.
• Username — The IdP sends the username as the Name ID. Directo matches this to the user's username in the system.

Choose the option that matches how your IdP is configured to send the Name ID claim.

Click Save. If you provided a Metadata URL, Directo will automatically import the IdP's signing certificates during the first save.

After saving, the Trusted Certificates section appears below the form. This section shows the signing certificates imported from your IdP's metadata.

• Certificates are automatically imported from the Metadata URL on first save.
• To manually import or re-import certificates, click Import from Metadata URL.

When your IdP rotates its signing certificate:

1. Add the new certificate in your IdP configuration.
2. Open the corresponding IdP configuration in Directo.
3. Click Import from Metadata URL to import the new certificate.
4. Both the old and new certificates will be trusted during the transition period.

The certificate table shows:

1. Open the Directo login page in a new browser window or incognito/private window.
2. You should see a new SSO button with the title you configured.
3. Click the button and verify that you are redirected to your IdP's login page.

1. After authenticating with the IdP, you should be redirected back to Directo and logged in.

1. Click on the configuration row in the list.
2. Update the fields as needed.
3. Click Save.

1. Click on the configuration row in the list.
2. Click the Delete button.
3. Confirm the deletion in the dialog.

Warning: Deleting an IdP configuration will immediately prevent users from logging in via that SSO method.

Warning: If you have enabled “Only configured SSO SAML methods can be used for authentication” and you delete all login methods you can lock yourself out of your application.