Custom SAML 2.0 Integration
Connect any SAML 2.0 compatible identity provider to SecurePie. This guide covers the technical requirements for custom integrations.
SecurePie Service Provider Details
Configure your Identity Provider with the following SecurePie (Service Provider) details:
Entity ID (Audience)
https://securepie.com/saml/YOUR_ORG_IDACS URL (Reply URL)
https://securepie.com/saml/acs/YOUR_ORG_IDSingle Logout URL
https://securepie.com/saml/slo/YOUR_ORG_IDName ID Format
emailAddressSP Metadata XML
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://securepie.com/saml/YOUR_ORG_ID">
<SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://securepie.com/saml/acs/YOUR_ORG_ID"
index="0"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://securepie.com/saml/slo/YOUR_ORG_ID"/>
</SPSSODescriptor>
</EntityDescriptor>Replace YOUR_ORG_ID with your actual SecurePie organization ID from the dashboard.
Required Attribute Mapping
Your Identity Provider must include these attributes in the SAML assertion:
// Required SAML Attributes Attribute Name Description Example Value ───────────────────────────────────────────────────────────────────────── email User's email address user@example.com firstName User's first/given name John lastName User's last/family name Doe // Optional Attributes department User's department Sales groups Group memberships (array) ["admin", "wholesale"] phone Phone number +1-555-123-4567 customerTags Shopify customer tags ["vip", "b2b"]
Important Note
Attribute names are case-sensitive. Use lowercase names exactly as shown:email,firstName,lastName
Identity Provider Requirements
Supported Bindings
- HTTP-POST (required for ACS)
- HTTP-Redirect (supported for AuthnRequest)
- HTTP-POST for SLO (optional)
Signature Requirements
- RSA-SHA256 (recommended)
- RSA-SHA1 (supported, not recommended)
- Signed assertions required
Certificate Requirements
- X.509 certificate in PEM format
- RSA 2048-bit or higher
- Valid (not expired) certificate
Assertion Requirements
- Signed assertion
- Valid time conditions (NotBefore, NotOnOrAfter)
- Audience restriction matching Entity ID
Troubleshooting Common Issues
Invalid Signature
Possible causes:
- •Certificate mismatch between IdP and SecurePie
- •Certificate has expired
- •Signature algorithm mismatch (SHA-1 vs SHA-256)
Solution: Re-download the IdP certificate and re-upload to SecurePie. Ensure both sides use SHA-256.
Invalid Audience
Possible causes:
- •Entity ID in assertion doesn't match SecurePie configuration
- •Trailing slash mismatch
Solution: Verify the Entity ID exactly matches: https://securepie.com/saml/YOUR_ORG_ID
Invalid Destination
Possible causes:
- •ACS URL mismatch
- •HTTP vs HTTPS mismatch
Solution: Ensure ACS URL is exactly: https://securepie.com/saml/acs/YOUR_ORG_ID
Missing Required Attribute
Possible causes:
- •IdP not sending required attributes
- •Attribute name mismatch (case sensitivity)
Solution: Verify your IdP sends email, firstName, and lastName attributes with exact naming.
SAML Debugging Tools
Use these tools to debug SAML responses during integration:
SecurePie Debug Mode
Enable debug mode in Settings → Security to see detailed SAML logs.
Browser SAML Tracer
Use the SAML-tracer browser extension to capture and decode SAML messages.
Online SAML Decoder
Decode base64 SAML responses at samltool.com to inspect assertion content.
Need Help?
Custom SAML integrations can be complex. Our team can help you configure any SAML 2.0 compatible identity provider.