In your identity provider you can configure an external application with our metadata and some additional information. Typically you can find the metadata at the following link: [domain]/saml2/metadata/

When setting up SSO our preference is to user email address as the nameid of the SAML2 connection. If that's not an option use the username or employee number or some other unique identifier.

If the user cannot be found with the given identifier (email or something else) login will fail.

The SAML2 metadata file you provide is used for validating a request. The actual information of a user is packaged in the SAML2 response that we receive once a user tries to login.

When you've completed the setup in your identity provider, you can proceed to add the SSO integration to LXP. In Control go to Audience --> Integrations

To add a SAML2 integration here click the 'ADD SAML' button. You can add your metadata and you are done!
An extra login button will appear on our login screen of your LXP.

Some additional notes:

  • If the user is already logged in into your system, they are also allowed to login at LXP.

  • LXP only checks if the user is logged in correctly the side of the identity provider.

  • Complete self-service for a client if they use the SAML standard.

  • We do not have any passwords stored in LXP.

  • Only name + email address are stored in LXP.

  • It is not possible to derive any kind of group-structure from SSO only.

For Azure AD with SAML2.0

For connecting LXP to your Azure AD over SAML2.0 please follow the steps provided by Microsoft here:

For Active Directory or ADFS connections some additional information might be relevant:

ADFS is a layer on top Active Directory to communicate with the outside world. The protocol we use for that is still SAML2.

  • You receive from us the location with the metadata information: [domain]/saml2/metadata/

  • You provide us with the metadata from their newly created ADFS application. You can add this metadata to the Control > Audience > Integrations > Add SAML provider screen to enable this application from LXP perspective

  • You can test the connection from a incognito window by clicking the SSO button and signing into the ADFS login screen, afterwards we get redirected to LXP with a succesful signin if the connection is setup correctly.

    • In case of a failed login attempt, the TinQwise team needs to know the platform and username of the test user so we can troubleshoot the login information in our backoffice systems.

Did this answer your question?