Creating SaaS Application (SAML IdP)

Safous ZTNA service has a unique feature where customer can create an authentication federation for all IdPs that actually integrated with Safous ZTNA service. This feature name is SaaS App, which basically it will acts as the SAML IdP while conducting SSO with Services Providers. Not only that, this application also helpful for connecting to SaaS application where allows for a very easy SaaS SSO operation using the Safous ZTNA IdP as the only IdP for conducting the SSO

To create SaaS application, you need to have admin user to for configuring your environment including adding application, please check these KB down below about Admin access:



  1. login to
  2. Go to Settings tab> ZTNA
  3. In Application, choose SaaS
  4. Click New SaaS, it will expand multiple forms to be filled for new application

    1. Fill Name information, which is the required filed and must be unique value with other application
    2. Site is required which by default it using "all" where you can leave it, but for multisite deployment it's recommended to choose the correct site based on the application location
    3. Domain is required, but it will shows the default domain that your tenant currently registered
    4. ACS URL is required value, which is an URL endpoint on the service provider (SP) where the identity provider will redirect to with its authentication response
    5. Entity ID is required, which is unique identifier that is the intended audience of the SAML assertion. This is usually the SP Entity ID of the application as defined in the service provider metadata file under entityID
    6. Relay State is also required value, where SP can send some value to the IdP together with the Authentication request and then get the same value back. Relay State is used by the IdP to signal to the SP which URL the SP should redirect to after successful sign on
    7. Encrypt SAML Assertion, by default is disabled. If you enabled this option then you also need to input certificate from SP, because it used to encrypt the assertion for a SaaS mapping
    8. Visible toggle, where you can choose to make it visible (green) in user-portal or not (by default it's disabled)
    9. Icon which you can upload your preferred custom logo, if not it will use a default logo
    10. Allow IDP-Initiated Flow is by default enabled, it is being use for a SaaS mapping initiated by IdP. You can leave this as is
    11. Use URI suffix as relay state parameter is disabled by default, which specifies whether you want the relay state is relative for SaaS mapping or not
  5. Once every field has been filled and choose, the only thing to do is click "Save"
  6. Then it will give the successful notification
  7. Once created, you can access the application setting then you will find detail information about SSO URL, Issuer and Metadata which is needed on SP SAML integration