Not logged in - Login


Many clients want to connect to SAFE via a preferred SAML 2.0 IDP provider. SAFE does fully support any SAML 2.0 provider.

Local SAFE accounts are required for all users. You will still create users in Settings > User Admin and apply all necessary permissions to those uers. SAML connectivity simply removes the login process and passes that off to your SAML system.

Before applying the SAML settings on this page make sure your email address is the SAML as is registered in your SAML system. If the email address does not line up you will NOT be able to log in after applying the SAML settings.

Identity Provider configuration

There are many IDP SAML providers, in this example, we are going to show setup for Okta. This example should be pretty similar for most providers.

  1. Go to OKTA (or your chosen provider) admin portal of your organization and Sign In
  2. Click on “Admin” at the right top corner
  3. Go to Applications -> Applications -> Add Application -> Create New App
  4. Configure SAML settings:

    Single sign on URL =
    Audience URI (SP Entity ID) =
  5. Go to the next step
  6. On the “Sign On” tab, download “Identity Provider metadata” (it will be required for Service Provider configuration)

SAFE Configuration

  1. Go to and login with your Org Admin login
  2. Open Settings -> Organization -> Org Settings
  3. Scroll down to SAML Settings
  4. Click Edit and then set Enabled to “On”
  5. Open SAML metadata file (downloaded in previous step) in any text editor
  6. Find entityID attribute and copy-paste it’s value into IdP Name
  7. Copy-paste full content of the metadata file into IdP Metadata
  8. Enter an Org Alias. This value will be used by all users in the organization to login to the SAFE Mobile App via SAML
  9. Save changes

Now try and connect to our site via your SAML provider site.

Common Questions

  1. Q. SP Initiated / IDP initiated? A. We support both workflows
  2. Q. Is there any relay state value that will be passed along with AuthnRequest? A. No
  3. Q. What is the base URL/entityID/issuer? A.
  4. Q. What URL on the SP side will consume the SAML Assertion sent by IDP? A.
  5. Q. What value is required in the NameId for the SAML assertion? A. User email
  6. Q. What is the required format for NameID? A. Standard email format
  7. Q. Other user attributes required? If so, please forward those attribute names. A. No
  8. Q. SP-initiated flow start page? A:{organization_guid}
  9. Q. How to fix "The requested resource does not support http method 'GET'" error when attempting to sign in with Azure Active Directory? A. You should use the following SP-initiated url:{organization_guid}. Please contact Tracker support if you need your organization guid.