You are currently viewing the new Anvil Editor Docs.
Switch to the Classic Editor Docs
You are currently viewing the Classic Editor Docs.
Switch to the new Anvil Editor Docs

Configuring your SAML Authentication

Configuring your Anvil app with your identity provider’s details

Under Step 1 in the SAML Authentication service, you’ll be able to configure your app with your identity provider’s details.

Location of the Identity Provider configuration in the SAML Authentication service

These details will be available from your chosen identity provider. A common way for these to be provided is as an XML metadata file, but many identity providers will also supply them individually.

Entity ID

If your identity provider doesn’t supply this explicitly, it can be found within the XML metadata file as the entityID. It may begin with urn:, or simply be a URL.


This can be found within the identity provider’s XML metadata as Location within the SingleSignOnService tag. If your identity provider gives you the option to choose between a Single-Sign-On URL with an HTTP-POST binding and one with an HTTP-Redirect binding, choose the one with the HTTP-Redirect binding.

Signing Certificate

The X509 signing Certificate supplied by your identity provider. It will be available within the metadata as X509Certificate.

Email Attribute

Anvil expects your Identity Provider to supply an email address in the returned XML during authentication. The email address will then will automatically be extracted it if it’s shared as one of the standard attributes, but otherwise you can enter the name of the XML attribute containing the email address in this field to ensure that it will be extracted. This field is optional.

Configuring your SAML Authentication within Anvil

Under Step 2, you’ll be able to set some options for how your SAML authentication will function in your Anvil app.

Location of the internal SAML settings in the SAML Authentication service

Share SAML Configuration with your other apps

If this is ticked, you will be able to use the SAML configuration of your current Anvil app in your other apps, to allow users to authenticate with those apps using the same SAML identity provider. Crucially, it means that the entityID of your app is shared among all your apps, and is therefore different than when this box is unticked. See Sharing SAML Credentials across Anvil apps for more detail.

Force authentication

If this is ticked, it will ensure that whenever a user is asked to authenticate, they must log in manually every time, even if (for example) they are already logged in with the identity provider in another tab.

Signature algorithm

This defaults to RSA-SHA256. It specifies which encryption algorithm will be used to encrypt the signature of the traffic between your Anvil app and your identity provider, as long as the identity provider also supports the specified algorithm.

Configuring your identity provider with your Anvil app’s details

Under Step 3, you’ll be able to access the details you need in order to configure your identity provider to accept authentication requests from your Anvil app.

The metadata can be downloaded with the Download Service Provider Metadata button, found within the SAML Authentication service section. Some identity providers will allow you to upload this metadata file directly in order to configure them. If not, your EntityID and signing certificate are also displayed explicitly immediately below the download button.

Location of the Service Provider Metadata in the SAML Authentication service

You will also need the Assertion Consumer Service URL for your app. If your app is running on Anvil’s hosted service, this URL is

If you are using Anvil Enterprise and hosting apps within your own infrastructure, please contact for help with your Assertion Consumer Service URL and general SAML configuration.

Do you still have questions?

Our Community Forum is full of helpful information and Anvil experts.