Skip to main content
Version: 1.0

SAML 2.0 Single Sign-On

SyVault supports SAML 2.0 for enterprise single sign-on, allowing your organization's members to authenticate through your existing identity provider (IdP) instead of entering a separate SyVault password. SSO is available on Business and Enterprise plans.

How SSO Authentication Works

The SyVault SAML flow follows the standard SP-initiated SAML 2.0 Web Browser SSO Profile:

  1. User clicks "Login with SSO" on the SyVault login page and enters their organization slug (e.g., acme-corp).
  2. SyVault generates a SAML AuthnRequest and redirects the user's browser to the IdP's SSO URL via an HTTP-Redirect binding.
  3. The IdP authenticates the user using whatever method is configured (password, MFA, certificate, etc.).
  4. The IdP POSTs a SAML Response to SyVault's Assertion Consumer Service (ACS) URL via an HTTP-POST binding. The response contains a signed XML assertion with the user's identity attributes.
  5. SyVault validates the SAML Response: checks the XML digital signature against the IdP's X.509 certificate, verifies the audience restriction matches the Entity ID, confirms the assertion is not expired, and ensures the InResponseTo attribute matches the original request.
  6. SyVault creates a session and the user proceeds to unlock their vault with their master password.
info

SSO replaces the authentication step (proving who you are) but does not replace the master password. After SSO authentication, the user must still enter their master password to derive the encryption key and decrypt their vault. This preserves the zero-knowledge guarantee.

Key URLs and Identifiers

ParameterValue
ACS URLhttps://api.syvault.com/api/auth/saml/acs
Entity ID (SP)syvault:<org-slug> (e.g., syvault:acme-corp)
Relay StateAutomatically set by SyVault to redirect the user after login

The ACS URL is the same for all organizations. The Entity ID is unique per organization, using the format syvault:<org-slug>, which allows a single IdP to serve multiple SyVault organizations if needed.

SAML Response Requirements

SyVault requires the following from the SAML Response:

  • Signed Response or Signed Assertion -- at least one must carry a valid XML signature. SyVault accepts RSA-SHA256 or ECDSA-SHA256 signature algorithms.
  • NameID -- must contain the user's email address (format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
  • Audience Restriction -- must match the Entity ID exactly.
  • NotOnOrAfter / SessionNotOnOrAfter -- assertions must not be expired. SyVault allows a 5-minute clock skew tolerance.
warning

SyVault enforces HTTPS-only IdP URLs. If your IdP metadata contains HTTP (non-TLS) endpoints, the configuration will be rejected. Ensure your IdP serves all SAML endpoints over HTTPS.

Relay State

SyVault sets the RelayState parameter in the AuthnRequest to track where the user should be redirected after successful authentication (e.g., back to the vault, to a specific shared folder, or to the admin console). The IdP must pass this value through unchanged in the SAML Response.

Configuring SSO

To enable SAML SSO for your organization:

  1. Navigate to Admin Console > SSO & SCIM > SAML SSO.
  2. Enter your IdP Metadata URL or upload the IdP Metadata XML file.
  3. SyVault will auto-populate the IdP SSO URL, IdP Issuer, and X.509 certificate from the metadata.
  4. Click Save Configuration.
  5. Copy the ACS URL and Entity ID into your IdP's SAML application settings.
  6. Click Test Connection to perform a live SAML flow and verify everything works.

For step-by-step guides for specific identity providers, see: