SAML 2.0 Integration Guide for z-PAX

This guide outlines the steps required to integrate your Identity Provider (IdP) with our SAML 2.0–compliant Service Provider (SP). It covers endpoint configuration, binding requirements, and expected SAML assertion content.

As part of the initial setup, the IdP must provide either a SAML metadata URL or individual SSO/SLO endpoints along with associated X.509/PEM signing certificates. After validation, we will issue a unique [idp-provider-name] identifier for your IdP. This identifier will be embedded in the ACS (Assertion Consumer Service) and metadata URLs.

To work against our development environment, simply replace all instances of api.auth.myzpax.com with sapi.auth.myzpax.com.

SP Details

Signature & Certificate Requirements

• SAML Responses must be signed

• Certificates used must:

  • Be valid and trusted (issued by a known CA or shared with our team if self-signed for dev)
  • Use a minimum of SHA-256 for signature hashing

Required Assertion Attributes

Basic User Attributes

ℹ️

The NameID should contain the user's email address with format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

user_inactivity_disable_days Attribute

This is a single-valued attribute named user_inactivity_disable_days , the value of which indicates how many days of user inactivity (i.e., no SAML login events) are allowed before the user's account should be automatically disabled.

Attribute:

Example:

<saml:Attribute Name="user_inactivity_disable_days">
  <saml:AttributeValue>
    30
  </saml:AttributeValue>
</saml:Attribute>