To configure SAML 2.0 SSO in OutSystems 11, install the IdP Forge component, download SP metadata, register OutSystems as an enterprise app in Azure AD or Okta, and configure the IdP Connector with attribute mappings. This tutorial covers the end-to-end setup including JIT user provisioning, group-to-role mapping, and troubleshooting common SAML errors with SAML-tracer.
SAML 2.0 SSO Architecture in OutSystems
OutSystems O11 does not natively support SAML 2.0 out of the box — you configure it through the **IdP (Identity Provider) Forge component**, which acts as a SAML Service Provider (SP) and bridges assertions from Azure AD, Okta, ADFS, or any SAML 2.0-compliant IdP into OutSystems user sessions. In ODC, SAML and OIDC are built-in features configured entirely in ODC Portal without any Forge components. This tutorial focuses on the O11 path first, with ODC differences noted at each relevant step. Once SSO is configured, OutSystems uses Just-In-Time (JIT) provisioning to create or update user records automatically on first login, and you can map IdP group attributes to OutSystems Roles for automatic authorization.
Prerequisites
- OutSystems 11 environment with IT Manager or Administrator access to Service Center
- Azure AD Global Administrator access OR Okta Administrator access (to register the app)
- Forge account to install the IdP component (forge.outsystems.com)
- SAML-tracer browser extension installed (Firefox/Chrome) for debugging
- Your OutSystems environment base URL (e.g., https://myenv.outsystems.net)
Step-by-step guide
Install the OutSystems IdP Forge Component (O11)
Install the OutSystems IdP Forge Component (O11)
Open your browser and go to **forge.outsystems.com**. Search for **IdP** (by OutSystems). Click **Install** → select your environment → confirm installation. Once installed, open **Service Studio** → click **Open Application** → open **IdP** application. Publish the IdP module if prompted (1-Click Publish button, top center). After publishing, go to your environment URL and navigate to `/IdP/IdPPortal` to confirm the IdP portal loads without errors.
Expected result: The IdP Portal is accessible at `/IdP/IdPPortal`. You see a dashboard with tabs: SP Metadata, IdP Connectors, and Users.
Download the OutSystems SP Metadata
Download the OutSystems SP Metadata
In the IdP Portal (`/IdP/IdPPortal`), click the **SP Metadata** tab. Click **Download SP Metadata XML**. This XML file contains: - **Entity ID** (your OutSystems SP identifier, e.g., `https://myenv.outsystems.net/IdP`) - **ACS URL** (Assertion Consumer Service URL — where the IdP posts the SAML response) - **Signing certificate** (public key OutSystems uses to verify signed assertions) Save this file — you will upload it to Azure AD or Okta in the next step.
Expected result: A valid XML file is downloaded containing the EntityDescriptor, SPSSODescriptor, and X509Certificate elements.
Register OutSystems as an Enterprise App in Azure AD (or Okta)
Register OutSystems as an Enterprise App in Azure AD (or Okta)
**For Azure AD:** 1. Go to **Azure Portal** → Azure Active Directory → Enterprise applications → New application → **Create your own application** → name it (e.g., `OutSystems SAML SSO`) → select 'Integrate any other application you don't find in the gallery' → Create. 2. Go to **Single sign-on** → select **SAML**. 3. Click **Upload metadata file** → upload the SP Metadata XML from step 2. 4. Azure auto-populates Entity ID and Reply URL (ACS). Verify they match your SP Metadata. 5. Under **Attributes & Claims**: map `user.mail` → `Email`, `user.displayname` → `Name`, `user.userprincipalname` → `Username` (or match your OutSystems user attribute configuration). 6. Download the **Federation Metadata XML** — you will import this into the IdP component. **For Okta:** 1. Go to Okta Admin → Applications → Create App Integration → SAML 2.0. 2. Set Single sign-on URL = your ACS URL from SP Metadata. 3. Set Audience URI = your Entity ID. 4. Add attribute statements: email → user.email, name → user.displayName. 5. On the Sign On tab, click **View SAML setup instructions** and copy the IdP metadata URL.
Expected result: Azure AD or Okta shows the enterprise app as configured with SAML. You have the IdP's federation metadata XML or URL ready for import into OutSystems.
Configure the IdP Connector in the IdP Portal
Configure the IdP Connector in the IdP Portal
Return to the OutSystems IdP Portal (`/IdP/IdPPortal`). Click **IdP Connectors** → **Add IdP Connector**. Fill in: - **Name**: Azure AD (or Okta) - **Type**: SAML 2.0 - **Metadata**: paste the IdP Metadata URL (Azure: federation metadata URL) OR upload the downloaded XML - **Username Attribute**: the SAML attribute name that maps to OutSystems username (e.g., `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` for Azure AD) - **Email Attribute**: same value for Azure AD default config - **Auto-provision Users**: Yes (creates OutSystems user on first login) Save. The portal shows a summary with the IdP Entity ID, Single Sign-On URL, and certificate fingerprint.
1/* Azure AD — common attribute claim URIs */2Username: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress3Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress4Name: http://schemas.microsoft.com/identity/claims/displayname56/* Okta — attribute names are shorter and configurable */7Username: email8Email: email9Name: nameExpected result: The IdP Connector shows Status: Active and the IdP metadata is successfully parsed showing the IdP Entity ID and SSO URL.
Configure Your OutSystems App to Use SSO
Configure Your OutSystems App to Use SSO
In **Service Studio**, open your application module. Navigate to **Data tab → Site Properties**. Look for a Site Property named `IdP.Connector` (created by the IdP component dependency). Set its **Default Value** to the name of your IdP Connector created in step 4. Alternatively, go to **Service Center** → Factory → Modules → your module → Site Properties → set `IdP.Connector` to your connector name per environment (Dev, QA, Production can have different IdPs). In your login screen Client Action (or in the Users module configuration), replace the standard login logic with a redirect to the IdP SSO URL: Action flow: Start → Navigate to GetLoginUrl() result → End The IdP Forge component exposes a `GetLoginUrl` Server Action — call this and redirect the user to its output URL to initiate the SAML flow.
1/* Server Action flow to initiate SSO */2/* Logic tab → Server Actions → YourLoginAction */34Start5→ GetLoginUrl (IdP component action)6 Input: RelayState = EncodeUrl(ReturnURL)7→ Assign SSOUrl = GetLoginUrl.LoginUrl8→ Navigate External: SSOUrl9→ EndExpected result: Clicking Login on your OutSystems app redirects to the Azure AD or Okta login page. After authenticating with corporate credentials, the user is redirected back to OutSystems and logged in automatically.
Map IdP Groups to OutSystems Roles (Optional but Recommended)
Map IdP Groups to OutSystems Roles (Optional but Recommended)
To automatically grant OutSystems Roles based on IdP group membership, configure group-to-role mapping in the IdP Portal. 1. In Azure AD, add a Group Claims attribute to your SAML app: Attributes & Claims → Add a group claim → select Security groups → set Source attribute to `sAMAccountName` or `Group ID`. 2. In the OutSystems IdP Portal → IdP Connectors → your connector → **Role Mapping** tab → Add mapping: - Attribute Name: `groups` (or the claim name Azure AD sends) - Attribute Value: the group GUID or sAMAccountName - OutSystems Role: `Manager` (select from dropdown) 3. Repeat for each group-role mapping. Now users in the Azure AD `Managers` group automatically receive the `Manager` OutSystems Role on login.
Expected result: After a test login by a user in the mapped Azure AD group, their OutSystems account shows the corresponding Role assigned in Service Center → Users.
Troubleshoot Common SAML Errors
Troubleshoot Common SAML Errors
**Common errors and fixes:** **'Invalid SAML Response' or blank page after IdP redirect:** Use SAML-tracer to capture the response. Decode the SAMLResponse base64 field. Check that the Recipient URL in the response matches your ACS URL exactly (including trailing slash). **'User not found' after SAML authentication:** The username attribute in the assertion doesn't match any OutSystems user and auto-provisioning is disabled. Enable Auto-provision in the IdP Connector or create the user manually first. **'Signature validation failed':** The IdP's signing certificate has changed (common after certificate rotation). Re-download the IdP metadata and re-import it into the IdP Connector. **Clock skew errors:** SAML assertions include NotBefore/NotOnOrAfter timestamps. If the OutSystems server clock is more than 5 minutes out of sync with the IdP clock, assertions are rejected. Sync NTP on the OutSystems server.
Expected result: After resolving the identified error, end-to-end SSO flow completes: user clicks Login → redirected to IdP → authenticates → redirected back to OutSystems → session created → user lands on the destination screen.
Complete working example
1/* ============================================================2 OutSystems O11 SSO Login — Server Action Pattern3 Using IdP Forge Component4 ============================================================ */56/* Server Action: InitiateSSOLogin7 Input Parameters:8 - ReturnURL (Text) — screen to return to after login910 Output Parameters:11 - RedirectURL (Text) — SSO login URL to navigate to12*/1314/* Action Flow */15Start16→ GetLoginUrl17 /* IdP component Server Action */18 RelayState = EncodeUrl(ReturnURL)19→ Assign20 RedirectURL = GetLoginUrl.LoginUrl21→ End222324/* Client Action: OnLoginButtonClick25 Calls the server action above and redirects */2627Start28→ InitiateSSOLogin29 ReturnURL = GetOwnerURLPath()30→ Navigate External31 URL = InitiateSSOLogin.RedirectURL32→ End333435/* ============================================================36 SAML Attribute Claim URIs — Azure AD Reference37 ============================================================ */3839/*40 Email / Username:41 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress4243 Display Name:44 http://schemas.microsoft.com/identity/claims/displayname4546 Given Name:47 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname4849 Surname:50 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname5152 Groups (when group claims enabled):53 http://schemas.microsoft.com/ws/2008/06/identity/claims/groups54*/555657/* ============================================================58 ODC — Native OIDC Configuration (no code required)59 Configured entirely in ODC Portal:60 ODC Portal → Authentication → External Providers → Add Provider61 Provider Type: OpenID Connect or SAML 2.062 Required fields: Issuer URL, Client ID, Client Secret63 ============================================================ */Common mistakes
Why it's a problem: Uploading IdP metadata as a static XML file instead of providing the metadata URL, causing silent failures when the IdP rotates its signing certificate.
How to avoid: Configure the IdP Connector with the federation metadata URL (e.g., Azure AD's `https://login.microsoftonline.com/{tenantId}/federationmetadata/2007-06/federationmetadata.xml`) so certificate changes are picked up automatically.
Why it's a problem: Mismatched ACS URL between what OutSystems publishes in SP Metadata and what is registered in the IdP, causing 'Recipient URL mismatch' SAML errors.
How to avoid: Copy the ACS URL directly from the IdP Portal's SP Metadata tab and paste it verbatim into the IdP's SAML configuration — do not type it manually.
Why it's a problem: Setting up SSO in the Development environment using a production IdP app, then being surprised when SAML responses fail in QA because the ACS URLs differ.
How to avoid: Create separate enterprise app registrations in Azure AD or Okta for each OutSystems environment (Dev, QA, Prod) with their respective ACS URLs.
Why it's a problem: Forgetting to configure the Single Logout (SLO) URL, leaving users authenticated at the IdP after logging out of OutSystems — a security risk in shared computer environments.
How to avoid: In the IdP Portal, configure the Logout URL and in your OutSystems logout logic call the IdP component's `Logout` Server Action rather than just clearing the OutSystems session.
Best practices
- Always import IdP metadata by URL rather than file upload so certificate rotations are picked up automatically without manual re-configuration.
- Configure per-environment IdP Connectors via Site Properties in Service Center so Dev, QA, and Production can point to different IdP apps (useful for testing without affecting production users).
- Enable auto-provisioning to avoid manual user creation, but set a default role that is safe (e.g., ReadOnly) — never default new SSO users to Admin.
- Test SAML flows with SAML-tracer before going to production; most SSO issues are attribute mapping mismatches visible only in the raw assertion XML.
- Handle the logout flow explicitly: call the IdP component's Logout action which generates a SAML Single Logout (SLO) request — without this, users remain logged in at the IdP even after OutSystems session ends.
- Monitor certificate expiry dates for both the IdP signing certificate and the SP certificate — schedule calendar reminders at 60 and 30 days before expiry.
- In ODC, use OIDC instead of SAML when your IdP supports it — OIDC is simpler to configure and more resilient to clock skew issues.
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I'm configuring SAML 2.0 SSO for an OutSystems 11 application using the IdP Forge component. My IdP is Azure AD. Walk me through: (1) installing and accessing the IdP Portal, (2) downloading the SP Metadata and registering OutSystems as an Enterprise App in Azure AD, (3) configuring the IdP Connector with the correct Azure AD claim URIs for username and email, (4) initiating the SSO redirect from my OutSystems login screen using GetLoginUrl(), and (5) mapping Azure AD security groups to OutSystems Roles. What are the most common SAML errors and how do I debug them with SAML-tracer?
In my OutSystems 11 application, I need to replace the standard login with Azure AD SSO using SAML 2.0. The IdP Forge component is already installed. Help me: configure the IdP Connector with Azure AD's federation metadata URL, set the correct attribute URIs for email and display name, update my Login Client Action to call GetLoginUrl() and redirect to the SSO URL, and set the ReturnURL so users land on the correct screen after authentication. Also show me how to test this using SAML-tracer.
Frequently asked questions
Does OutSystems support SAML 2.0 without the Forge component?
In OutSystems 11, native SAML 2.0 is not built in — you need the IdP Forge component. In ODC, SAML 2.0 and OIDC are built-in features configured directly in ODC Portal under Authentication → External Providers, with no Forge component required.
Can I use SAML SSO alongside traditional username/password login in the same OutSystems app?
Yes. The IdP component supports mixed authentication. You can present users with a choice: SSO login button (which calls GetLoginUrl()) and a standard credentials form. Both authentication methods can coexist; users provisioned via SSO can also have passwords set for fallback access.
What happens to existing OutSystems users when SAML SSO is enabled?
Existing users continue to work unless you explicitly disable password authentication. When an existing user logs in via SSO for the first time, the IdP component matches their account by the configured username attribute (usually email). If auto-provisioning is enabled and no match is found, a new account is created.
How do I test SAML SSO in the Development environment without affecting production users?
Create a separate Enterprise Application in Azure AD (or a separate Okta app) for your Development environment with its own ACS URL pointing to your dev environment. Configure a separate IdP Connector in the Development IdP Portal pointing to this dev app. Use a test Azure AD tenant or Okta sandbox if available to completely isolate dev SSO testing.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation