# SAML (Security Assertion Markup Language) {% hint style="warning" %} Setting up a SAML connection is an advanced task and may require assistance from an IT professional {% endhint %} You may manually configure a SAML provider for use with the TIS Platform. We recommend using [**OIDC**](/single-sign-on-sso/connection-types/openid-connect-oidc.md) if your provider supports it. ### Configuration Options #### Display Name - *Required* This will be displayed to your users on the TIS Platform login screen as a "**Sign in with \[Display Name]**" option. It will also be shown in the administration panel under your list of configured SSO providers. #### Metadata XML If your provider has supplied a metadata XML file, you may upload it here to auto populate the provider configuration fields. #### Entity ID or Issuer URL - *Required* The Entity ID for your SAML provider. This is sometimes referred to as the Issuer URL. #### Sign-On URL - *Required* The URL to redirect your users to for login. This can be obtained from your SAML provider. #### Signing Certificate - *Required* The signing certificate to use to verify the information passed to the TIS Platform by your provider. The certificate should be an X502 certificate provided as a Base64 string. Do not include starting or ending headers. #### Merge Users Where Email Matches an Existing Account We recommend **leaving this disabled**. For more details, please see [General Options](/single-sign-on-sso/general-options.md#merge-users-where-email-matches-an-existing-account). #### First Name Attribute - *Required* The attribute name in the SAML response that corresponds to the users first name. A first name must be mapped to login. #### Last Name Attribute - *Required* The attribute name in the SAML response that corresponds to the users last name. A last name must be mapped to login. #### Employee ID Attribute The attribute name in the SAML response that you wish to map to the Employee ID field on the TIS Training account. This is not required. #### Email Attribute - *Optionally Required* The attribute name in the SAML response that corresponds to the users email. This is **not required** if your SAML Name ID is an email address. An email must be mapped to login. ### Role and Group Mappings For more information on how role and group mappings work, please see [Role and Group Mappings](/single-sign-on-sso/role-and-group-mappings.md). For role and group mappings using SAML, we use the **SAML attributes** passed by your provider. If you are unsure what attributes are being passed, you may complete the setup of the SAML provider, then use the "**Test SSO Login**" button to review the information passed to the TIS Platform by your provider. Mappings can be updated at any time by using the "**Edit Provider**" button. ### TIS Platform Entity ID and ACS URL Your provider may require an Entity ID and Assertion Consumer Service (ACS) URL when setting up the TIS Platform client. These are displayed after you have saved the SAML provider in the TIS Platform administration panel. If you need to view them again, please click the "**Edit Provider**" button, click "**Next**" and then "**Save**". --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tistraining.com/single-sign-on-sso/connection-types/saml-security-assertion-markup-language.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.