Configuring a SAML2 Authentication Provider

Simplelists supports SAML2 as an Authentication Provider. There are two parts to the configuration:

  1. Creating a Simplelists Authentication Provider
  2. Configuring your Identity Provider (IdP)

The following describes the creation and configuration of the Simplelists’ Authentication Provider

Create an Authentication Provider

  1. Log into your Simplelists instance as the administrator Simplelists Administrator Dashboard
  2. From the left menu click general settings Simplelists Acccount Settings
  3. Under the Account Settings click the Authentication tab Simplelists Authentication
  4. Click Add Authentication... button Simplelists Add Authentication Provider
  5. Enter a unique Name
  6. Ensure that the Type is set to SAML2
  7. Click Add

Configure the Authentication Provider

  1. Under the Account Settings click the Authentication tab Simplelists Authentication
  2. Click the Name of the Authentication provider you created Simplelists Edit Authentication Provider

Select Unique or Default URLs

This option selects whether your IdP points to a unique URL versus a default URL for the Entity ID or Reply URL.

Strictly speaking, there is no difference between the default versus unique URLs. However, unique URLs allows more flexibility should you need to have multiple Simplelist instances served by your IdP.

The unique URL should probably be chosen.

Set the Attributes


The user attribute values entered for the following must match the values provided in the SAML2 assertion (and the attribute names you configure in the Identity Provider’s (IdP’s) configuration). These values are used to automatically update the user’s name.

Click the Use default button to enter a default value that is often provided by IdPs.

Enter Attribute names for

  1. User attribute for first name (optional)
  2. User attribute for surname (optional)


For your initial configuration do not configure a group

The group attribute is used to find the groups that may be passed from the Identity Provider via the SAML2 assertion.

Click the Use default button to enter a default value that is often provided by IdPs.

Enter the Attribute for groupname (optional)

Domain suffix for usernames (optional)

The user’s email domain can be used to find the proper authentication provider to be used for IdP initiated login. This is optional and the unique URL is recommended instead.

Values required for the IdP configuration

The following items will be required to configure the IdP

  1. RelayState for IdP Initiated login
  2. Simplelists XML File
  3. Simplelists Certificates


The RelayState value can be used in the IdP configuration as the default value sent to Simplelists during an IdP initiated login.

If the IdP sends a RelayState value during the IdP initiated login this value is verified to determine that it matches the value configured in Simplelists.

Download Simplelists XML File

Many IdPs allow uploading a metadata xml from the application to provide the proper configuration settings.

Note: some IdPs may have problems uploading signed metadata files. De-select Sign Metadata? if you have issues uploading Simplelists’ metadata to your IdP.

  1. Click the Download XML file button
  2. Save the saml.xml file so it can be uploaded to the IdP.

Simplelists Certificates

Simplelists signs the SAML2 AuthnRequest. The IdP can verify that the received AuthnRequest was signed by Simplelists.

  1. Click the Download Signing Certificate button
  2. Save the simplelists.cer file so it can be uploaded to the IdP.

Upload IdP values

Simplelists requires two Identity Provider files to be uploaded to the Authentication provider. These need to be downloaded from your IdP.

  1. SAML Metadata XML file
  2. CA certificate (optional)

Example values

Field Name Value
User attribute for first name (optional)
User attribute for surname (optional)
Attribute for groupname (optional)
Domain suffix for usernames (optional)

Simplelists Optional Configuration

Simplelists - Create Automatic user creation

Get everything else working first then decide if you want to implement this.

For IdP initiated login you can choose to have users automatically created. Simplelists uses "Automatic user creation groups" to assign user permissions. If no groups are provided you can create the user in Simplelists first and assign security there.

  1. Open the Authentication Settings that you created above Simplelists Account Settinigs
  2. Set the Attribute for groupname (optional)
  3. Click the Add Group Button

Create the Automatic user creation group

    Simplelists Add Groups
  1. Enter a free form description (It will appear on the Authentication Provider Page)
    • Billing Manager
  2. Enter the SSO Group Name (that will be sent by Azure)
    • SimpleLists-Billing Manager
  3. Select the Account Permissions
  4. Click Create

Note: that the created groups are listed under the Existing groups and show the description not the SSO group name. The SSO group name (required to match Azure’s groups) can be viewed by clicking on the group name.

Warning: Any user logging in will be deleted if you have a value in the Attribute for groupname (optional) field but the SAML assertion does not include a list of groups, defined by the attribute, that match a group defined in the groups list.

Note: SimpleLists group permissions are additive. That is, if a user is a member of multiple groups that assign different permissions, the user is assigned ALL the permissions assigned by the individual groups.

Set simplelists user to use the SAML Provider

The authentication method is by user.  You will need to set the authentication method for each user that thou want to use SAML

    Shows Simplelists Dashboard
  1. Click manage users from the left had menu
  2. Select the User(s) that you want to modify Shows Simplelists Modify User Authentication Type
  3. From the Authentication type menu select your ADFS SAML Provider that you set up earlier
  4. Click Update to save the user