SAML Overview

As an alternative to using MX’s SSO API to generate single-sign-on URLs, partners can use SAML to provide authentication information to MX and load widgets for their users. The partner must have a SAML 2.0 compliant server setup (the identity provider) and must provide to MX:

• The certificate to be used to decrypt the SAMLResponse data
• The certificate fingerprint
• The hashing algorithm used

MX supports the following hashing algorithms

• http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
• http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
• http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

The partner must initiate the login by sending users to their identity provider. The identity provider will then POST a valid SAML assertion to https://int-app.moneydesktop.com/login/{client_id}. The SAML assertion must pass a current user_id as the SAML nameid attribute so that MX can identify which user should be logged in.

warning

The user must be created in advance of initiating a SAML login. The SAML process will not create new users.