SAML SSO

Enterprise SSO with any SAML 2.0 identity provider.

Setup

1. In your IdP (Okta, Azure AD, etc.), create a new SAML application.
2. In NOBA Settings → SAML SSO:
   • Paste the IdP SSO URL and IdP Certificate (PEM) from your IdP's metadata.
   • Copy the SP Metadata URL (<noba-origin>/api/saml/metadata) into your IdP's configuration.
   • Set SP Entity ID and ACS URL (auto-filled; must match your IdP application settings).
   • Set Default role for newly provisioned SAML users (viewer recommended).
   • Optionally set Role mapping JSON to map IdP groups to NOBA roles.
3. Click Test Connection to verify IdP reachability.
4. Enable Enable SAML SSO and click Save.

Security Features

• SP-initiated flow with signed AuthnRequests (RSA-SHA256)
• Encrypted assertions supported
• C14N canonicalization prevents XML injection
• defusedxml enforced — no fallback to stdlib XML parser
• Popup-based SSO exchange pattern prevents session hijacking
• Tested with Keycloak, Okta, and Azure AD