Skip to content

Generic SAML🔗

This document covers step two of the Single sign-on (SSO) setup process, and shouldn't be completed independently.

  1. Log in to your identity provider.
  2. Create a new application.

  3. Set the following on the appropriate configuration page:

    • Identifier or Audience: urn:auth0:matillion:[domain]-saml replacing [domain] with your primary email domain, and converting any special characters to dashes. For instance example.com would become urn:auth0:matillion:example-com-saml.
    • Reply URL or Assertion Consumer Service URL or Single sign-on URL: https://id.matillion.com/login/callback.

    Note

    The Relay State will be provided by Matillion later, and will be added here before testing. No other configuration should be changed at that stage.

  4. Ensure the attribute passed as the sub, such as the Unique User Identifier or Username is unique and immutable to each user, such as employee ID, then click Save.

    Note

    The default value is often an email address and shouldn't be used. The value chosen here is used internally by the identity provider (as the NameID) to uniquely identify users. It's never visible in either system, and regardless of this setting, users will always sign in using their email address.

    Leaving the default value in place can cause issues if it changes in the future. In that case, Matillion would treat the user as a new account, resulting in the loss of the original user profile.

    Any value that is both unique to each user and guaranteed not to change can be used. Because each setup is different, Matillion cannot provide guidance on creating a unique attribute in your identity provider. However, the exact value being sent can be verified during the testing phase, before the configuration is activated and affects user logins.

  5. Ensure that the following attributes or claims have been mapped as follows, and add any that are missing:

    • name: User's full display name.
    • email: User's email address.
    • given_name: User's first name.
    • family_name: User's last name.

  6. Create a new attribute or claim named email_verified and set it to return a static value of true. This ensures that users aren't prompted to verify their email address with Matillion.

  7. Find and make a note of the following information from the application's settings:

    • Login URL or Sign-in URL.
    • The value set as the Identifier in step 3.

  8. Download the certificate in Base64 format.

  9. Continue the steps in Single sign-on (SSO) setup.

Got feedback or spotted something we can improve?

We'd love to hear from you. Join the conversation in the Documentation forum!

© Copyright 2025 Matillion Ltd | Legal | Privacy Policy | Disclaimer | Modern Slavery Statement