3PM Auth
SAML 2.0 Identity Provider

SAML Integration Guide

Use 3PM Auth as a SAML 2.0 Identity Provider to enable Single Sign-On for enterprise applications like Zoho Creator, Salesforce, and other SAML-compliant Service Providers.

Overview

3PM Auth functions as a SAML 2.0 Identity Provider (IdP), allowing users to authenticate using existing methods (Email OTP, Mobile OTP, Google, Apple) and then access SAML-enabled Service Providers with a signed assertion.

Identity Provider

3PM Auth authenticates users and generates signed SAML assertions.

Service Providers

Zoho, Salesforce, and other SAML apps trust 3PM Auth assertions.

Existing Auth Methods

Users log in with Email OTP, Mobile OTP, Google, or Apple.

Secure Assertions

RSA-SHA256 signed assertions with replay protection.

How It Works

1User clicks "Login with SSO" in the Service Provider (e.g., Zoho)
2SP sends SAML AuthnRequest to 3PM Auth
3User authenticates via OTP, Google, or Apple
43PM Auth generates signed SAML Response with user attributes
5User is redirected to SP with the assertion, now logged in

Configuration

SAML IdP requires X.509 certificates for signing assertions and environment variables for configuration.

1. Generate Certificates

Generate a self-signed certificate for signing SAML assertions:

# Create certs directory
mkdir -p certs


# Generate private key and certificate (valid for 3 years)
openssl req -x509 -newkey rsa:4096 \
  -keyout certs/saml-idp.key \
  -out certs/saml-idp.crt \
  -days 1095 -nodes \
  -subj "/CN=3PM Auth SAML IdP"

2. Environment Variables

.env.localenv
# SAML IdP Configuration
SAML_IDP_ENTITY_ID=https://idp.3pm.app/saml
SAML_IDP_PRIVATE_KEY_PATH=./certs/saml-idp.key
SAML_IDP_CERTIFICATE_PATH=./certs/saml-idp.crt


# Optional: Key passphrase (if encrypted)
# SAML_IDP_KEY_PASSPHRASE=your-passphrase


# Assertion lifetime (default: 300 seconds / 5 minutes)
SAML_ASSERTION_LIFETIME_SECONDS=300


# Auth request TTL (default: 600 seconds / 10 minutes)
SAML_AUTH_REQUEST_TTL_SECONDS=600
Important: Keep your private key secure. Never commit it to version control.

Configuration Reference

VariableDescriptionRequired
SAML_IDP_ENTITY_IDUnique identifier for your IdPYes
SAML_IDP_PRIVATE_KEY_PATHPath to private key fileYes
SAML_IDP_CERTIFICATE_PATHPath to certificate fileYes
SAML_ASSERTION_LIFETIME_SECONDSAssertion validity durationNo (default: 300)

Service Providers

Register Service Providers in the admin dashboard to allow them to authenticate users via SAML SSO.

Required Information

When registering a Service Provider, you'll need the following information from them:

FieldDescriptionExample
Entity IDSP's unique identifierzoho.com
ACS URLAssertion Consumer Service URLhttps://accounts.zoho.com/samlresponse/...
NameDisplay name for the SPZoho Creator
NameID FormatFormat for user identifieremailAddress

Optional Settings

SLO URLSingle Logout URL for federated logout
CertificateSP's certificate for signed request validation
Attribute MappingsCustom attribute names expected by the SP
Admin Dashboard: Go to Dashboard → SAML Service Providers to register and manage SPs.

Authentication Flow

3PM Auth supports SP-initiated SSO, where the Service Provider starts the authentication flow.

SP-Initiated SSO Flow

1.UserService Provider(clicks "Login with SSO")
2.Service Provider3PM Auth(SAMLRequest via redirect/POST)
3.3PM AuthUser(authenticates via OTP/OAuth)
4.3PM AuthService Provider(SAMLResponse via POST to ACS URL)
5.Service ProviderUser(logged in, session created)

Supported Bindings

HTTP-Redirect (GET)

SAMLRequest is deflated, base64-encoded, and passed as a query parameter.

HTTP-POST

SAMLRequest is base64-encoded and submitted as a form field.

Already logged in? If the user has an active 3PM Auth session, they'll be redirected back to the SP immediately without re-authenticating.

Endpoints

GET/api/saml/metadata

Returns the IdP metadata XML. Service Providers use this to configure SAML SSO.

curl https://idp.3pm.app/api/saml/metadata

Response: XML document containing Entity ID, SSO endpoints, and X.509 certificate.

GET/POST/api/saml/sso

Single Sign-On endpoint. Receives SAML AuthnRequest from Service Providers.

GET (HTTP-Redirect Binding)
GET /api/saml/sso?SAMLRequest={deflated-base64}&RelayState={optional-state}
POST (HTTP-POST Binding)
POST /api/saml/sso
Content-Type: application/x-www-form-urlencoded


SAMLRequest={base64-encoded}&RelayState={optional-state}
GET/POST/api/saml/slo

Single Logout endpoint (optional). Handles logout requests from Service Providers.

Attribute Mapping

SAML assertions include user attributes that Service Providers use to identify and provision users.

Default Attributes

AttributeValueDescription
NameIDuser.emailPrimary identifier (usually email)
emailuser.emailUser's email address
firstNameuser.firstNameUser's first name
lastNameuser.lastNameUser's last name

NameID Formats

Supported NameID formats for identifying users:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Zoho Creator Example

Step-by-step guide for integrating Zoho Creator with 3PM Auth SAML SSO.

1

Get IdP Information

Download the IdP metadata or note these values:

Entity ID{YOUR_DOMAIN}/saml
SSO URL{YOUR_DOMAIN}/api/saml/sso
CertificateDownload from /api/saml/metadata
2

Configure Zoho

In Zoho Admin Console → Security → SAML Authentication:

  • Enter the Entity ID from 3PM Auth
  • Enter the SSO URL (Login URL)
  • Upload the 3PM Auth certificate
  • Set NameID format to emailAddress
  • Enable SAML authentication
3

Register Zoho in 3PM Auth

In 3PM Auth Dashboard → SAML Service Providers → Add:

{
  "name": "Zoho Creator",
  "entityId": "zoho.com",
  "acsUrl": "https://accounts.zoho.com/samlresponse/your-org",
  "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "enabled": true
}
4

Test the Integration

Verify SSO is working:

  • Go to your Zoho Creator app login page
  • Click "Sign in with SSO" or your custom domain login
  • You should be redirected to 3PM Auth
  • Authenticate using your preferred method
  • After authentication, you'll be redirected back to Zoho, logged in
Success! Users can now log into Zoho Creator using their 3PM Auth credentials.

SAML 2.0 IdP Documentation - February 2026

View IdP MetadataSSO DocumentationAI Guide