SSO/SAML Integration

If you are using Microsoft Entra or Google Workspace as your corporate Identity Provider, no configuration is needed to log in via OAuth2 integration. Users log in with the Continue with Google or Continue with Microsoft links on the login page.

Prevail can also integrate with any Security Assertion Markup Language Identity Provider (SAML IdP), including Microsoft Entra, Google Workspace, and Okta. SAML offers additional security and administration features, such as sharing user groups and group memberships. SAML integration requires a setup process for each enterprise. In the SAML model, Prevail serves as the Service Provider (SP), and the enterprise supplies the IdP, whether that’s internal to the enterprise or a third-party such as Entra or Okta.

• SSO/SAML Integration
  • Obtain Your SAML Configuration File
  • Send Your SAML File to Prevail
  • Configure Your Identity Provider
    • Obtain the Service Provider Metadata from Prevail
    • Configure the Service Provider in Your Identity Provider
    • Final Testing and Login
    • Log in Using SSO

Obtain Your SAML Configuration File

The first step in setting up SAML integration is to prepare your SAML configuration file. While the exact details may vary slightly between IdPs, this file must contain, at a minimum, the Entity ID, X509 certificate, and endpoint URLs. Below is an example configuration file:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     entityID="https://accounts.google.com/o/saml2?idpid=C03m0b1w1"
                     validUntil="2026-04-15T17:13:09.000Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" 
                       protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>   
          <ds:X509Certificate>
            MIIDdDCCAlygAwIBAgIyaddayaddayaddau3CTSH4YihqnkQkNhD6H9fsInau+ROtC7V
            1J/7F0gwyWJATeHsTx0 … many more lines …     ayaddanRZX92SnZZPnrWSmTF
          </ds:X509Certificate>
    	 </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>
      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    </md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                            Location="https://accounts.google.com/o/saml2/idp?idpid=C03m0b1w1"
    />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                            Location="https://accounts.google.com/o/saml2/idp?idpid=C03m0b1w1"
    />
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

For guidance on creating your SAML file, consult the documentation for your IdP. You can reference the following instructions for a few of the most popular IdPs:

• Okta SAML Documentation
• Microsoft Entra SAML Documentation
• Google Workspace SAML Documentation

Send Your SAML File to Prevail

After preparing your SAML file, forward it to the Prevail Support team to proceed with the integration setup. This file does not contain PII or private certificates, so it does not need to be kept secret.

Configure Your Identity Provider

Obtain the Service Provider Metadata from Prevail

Download Prevail’s Service Provider metadata. This file contains essential information such as the ACS (Assertion Consumer Service) URI and Entity ID.

Configure the Service Provider in Your Identity Provider

1. Create a new SAML integration in your IdP’s admin dashboard using your Entity ID/Connection ID and ACS Assertion Consumer Service (ACS) URL. Contact Customer Success at CustomerSuccess@prevail.ai for assistance if needed.

   • Entity ID/Connection ID: https://prevail.ai/users/saml/metadata
   • Assertion Consumer Service (ACS) URL: https://prevail.ai/users/saml/auth

2. Verify the ACS URI and Entity ID match correctly. Some Identity Providers can directly consume the SP metadata file, while others may require you to manually extract information from the file and enter it into appropriate fields. Refer to your IdP’s documentation on how to create a new SAML integration.

3. Configure attribute mappings to align user data from your IdP with what Prevail expects. Map at least the following attributes:

   • first_name to first_name
   • last_name to last_name
   • email to email

   Note: The variable names on the left side of the mapping in your IdP dashboard may differ. Adjust the mappings based on the names used in your IdP.

Final Testing and Login

After setting up Prevail as the Service Provider and receiving confirmation from the Prevail Support team that your IdP is configured for your organization, test the integration by logging in through your IdP’s dashboard. If the SSO integration does not function as expected, contact Customer Success at CustomerSuccess@prevail.ai for assistance.

Log in Using SSO

Learn how to log in to Prevail with your organization using your enterprise credentials.