SAML Identity Provider as a Service

Easy. Secured. Trusted. Inexpensive.

Get started for free now


SAML stuff

Supported attributes

The following SAML attributes are supported for all Identity Providers:

  • sn (urn:oid:

    Contains the user's surname.

  • givenName (urn:oid:

    Contains the user's given name.

  • displayName (urn:oid:2.16.840.1.113730.3.1.241)

    Name of the person in a form the user (or his or her organization) probably wants to be shown.

  • mail (urn:oid:0.9.2342.19200300.100.1.3)

    Preferred address for the "to:" field of email to be sent to this person. The address in this attribute cannot be assumed to represent an organizationally-assigned contact address for a user established as part of a strong identity-proofing process.

  • eduPersonPrincipalName (urn:oid:

    A single value of the form user@scope, where scope is a DNS-like subdomain representing the security domain of the user ("" or own domain of the organization added to the Identity Provider on admin page) and user is an arbitrary persistent key which unambiguously maps to a person within an organization.

  • eduPersonTargetedID (urn:oid:

    A single string value of no more than 256 characters that uniquely identifiers a user in an opaque, privacy-preserving fashion. The value will be different for a given user for each service provider to which a value is sent, to prevent correlation of activity between service providers.

  • eduPersonScopedAffiliation (urn:oid:

    Multiple values of the form value@scope, where scope is a DNS-like subdomain representing the organization or sub-organization of the affiliation ("" or own domain of the organization added to the Identity Provider on admin page) and value is one of:

    • member
    • student
    • employee
    • faculty
    • staff
    • alum
    • affiliate
    • library-walk-in

    Affiliation is a high-level expression of the relationship of the user to the university or organization specified in the scope. A user can possess many affiliations, though some values are mutually exclusive. This attribute is often made available to any service provider, and is a good way to filter or block users of a given general type. In particular, "member" is an indication that the user is somebody with relatively official standing with a university at the present time, and does not apply to guests, other temporary accounts, terminated employees, unpaid/unregistered students, and other exceptional cases.

  • schacHomeorganizationType (urn:oid:

    The type of the organization, one of the following values:

    • school
    • university
    • other
    • business

Test attribute release

Use for testing which attributes are released about a user. This is a real Service Provider, it knows all Identity Providers.

Entity Categories

Your Identity Provider supports the Research and Scholarship Entity Category
When your users access a Service Provider which has the Research and Scholarship Entity Category the following attributes are released if consent is also given:

  • eduPersonPrincipalName
  • displayName
  • mail
  • eduPersonScopedAffiliation


Your Identity Provider has a default scope under the domain. It is perfectly fine but for production usage we recommend to use a domain name that belongs to your organization. Before we start using your domain name as a scope, we verify that it exists and it is under your control. Please create a TXT record in your domain name's DNS zone with the content of the hash you can find in the IdP's edit page.

Custom Service Providers

You can add any Service Provider exclusively for your Identity Provider, without participating any federation. It is a good option for testing purposes, or if a Service Provider is not part of the federation as your Identity Provider is.

User management

Registering users

You, as an administrator, can add users one by one, or upload the information about them in a CSV file. All fields are required, and after the user is created, the username cannot be modified.


You cannot set a password for a user. When you register or activate a user, a token will be sent to the user directly by email, using whic he or she can set their password. All passwords are strongly hashed and kept securely.

Setting user status

If a user is enabled, he or she can login via the Identity Provider, if disabled, it is not allowed. A user with disabled status can be enabled again anytime, but after one year, the user is removed from the user list.

Deleting users

If you delete a user, all data except from their username gets deleted immediately and irrevocably. The username is added to an internal list of deleted user identifiers in order to prevent future reassignment.

Identity Federations

We know the following federations (approx. 8500 Service Providers). If you can't find the one you want to collaborate with, please do not hesitate to contact us.

Federation Contact URL Contact email
Algeria - ARNaai
Armenia - AFIRE
Australia - AAF
Austria - ACOnet Identity Federation (
Belgium - Belnet Federation
Brazil - CAFe Federation
Canada - CAF Federation
Chile - COFRe Federation
China - CARSI Federation
Columbia - RENATA Federation
Croatia - AAI@eduHr Federation
Czech Republic -
Denmark - WAYF Federation
Ecuador - MINGA
Estonia - TAAT Federation
Finland - Haka
France - Fédération Éducation-Recherche
Germany - DFN-AAI
Greece - GRNET Federation
Grid IDentity Pool Federation
Hungary - Federation
InCommon Federation
India - INFLIBNET Access Management Federation
Ireland - Edugate Federation
Israel - IUCC Identity Federation
Italy - IDEM federation
Japan - GakuNin Federation
Latvia - LAIFE Federation
Lithuania - LITNET FEDI Federation
Luxembourg - Federation
Macedonia - AAIEduMk
MARWAN Federation
Moldova - LEAF
Netherlands - SURFconext Federation
New Zealand - Tuakiri Federation
Norway - FEIDE Federation
Poland - PIONIER Federation
Portugal - RCTSaai Federation
RENU Identity Federation
Russia - FEDUrus Identity Federation
Singapore Access Federation (SGAF)
Slovakia - safeID
Slovenia - ArnesAAI Federation
Spain - SIR Federation
Sweden - SWAMID Federation
Switzerland - SWITCHaai Federation
UK Access Management Federation
Ukraine - PEANO Federation
Vi-SEEM Community

Contact Us

Open an issue on Github

Or the dinos can write us email as well: info [at] samlidp [dot] io

© 2017, Kitek Média Ltd.
Company Registration Number: 01-09-901519 (est. 2008)
Budapest, Laura u. 4. 1125 Hungary
+36 (20) 351 3040