Auth
Setting up SAML SSO with any Identity Provider
21RISK supports SAML 2.0 as a federation protocol with any standard-compliant Identity Provider — including Okta, OneLogin, PingFederate, JumpCloud, ADFS, and others.
If you are using Microsoft Entra ID , we recommend following our dedicated Entra guide instead, which includes automatic certificate management.
Prerequisites: You need Group Owner access in 21RISK and administrator access to your Identity Provider to complete this setup.
Step 1: Create a SAML connection in 21RISK Step 1: Create a SAML connection in 21RISK
Log in to 21RISK.com and navigate to Settings → Advanced . Click "Create new SSO connection" and select SAML 2.0 .
This takes you to the SAML connection detail page. In the Service Provider Configuration section, you will find two values your Identity Provider needs:
| Value | Description |
|---|---|
| ACS URL | The URL where your IdP will POST the SAML response |
| Entity ID | The identifier 21RISK uses for the SAML trust |
Copy both of these values — you will need them when configuring your Identity Provider.
Step 2: Configure your Identity Provider Step 2: Configure your Identity Provider
In your Identity Provider's admin console, create a new SAML application (sometimes called an "SSO integration" or "SAML app"). The exact steps vary by provider, but you will need to enter:
| Field in your IdP | Value from 21RISK |
|---|---|
| ACS URL / Reply URL / Single Sign-On URL | The ACS URL |
| Entity ID / Audience / Audience URI | The Entity ID |
Name ID format: Make sure your IdP is configured to send the user's email address as the Name ID (NameID). This is how 21RISK matches SAML assertions to user accounts.
Once saved, your Identity Provider will show you the values you need to bring back to 21RISK. The names vary by provider, but you are looking for:
| What you need | Common names in IdP consoles |
|---|---|
| Entity ID / Issuer | IdP Entity ID, Issuer URL, Issuer |
| Login URL | SSO URL, Single Sign-On URL, SAML Endpoint |
| X.509 Certificate | Signing Certificate, Certificate (Base64) |
| Logout URL (optional) | SLO URL, Single Logout URL |
Step 3: Configure the Identity Provider in 21RISK Step 3: Configure the Identity Provider in 21RISK
Go back to the 21RISK SAML connection page. In the SAML Identity Provider Configuration section, select Other SAML Provider as the provider type and fill in:
| Field in 21RISK | Value |
|---|---|
| Entity ID / Issuer | The Entity ID from your Identity Provider |
| Login URL | The SSO URL from your Identity Provider |
| IdP Certificate (X.509) | The signing certificate — base64 content only, without BEGIN CERTIFICATE / END CERTIFICATE |
| Logout URL (optional) | The SLO URL if your IdP supports Single Logout |
Click Save .
Certificate format: Paste only the base64-encoded certificate body. Remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and any line breaks.
Step 4: Mark the connection as primary Step 4: Mark the connection as primary
Before users can log in via SAML, the connection must be set as primary .
On the same page, toggle Primary to on and click Save .
You can only have one primary SSO connection per organization. Enabling a new primary connection will replace the existing one.
Before users can use the connection, all relevant email domains must be registered with 21RISK. Contact support@21risk.com if your domain(s) are not listed.
Step 5: Test the connection Step 5: Test the connection
Log out of 21RISK and try logging in again. If your email domain is registered and the connection is primary, you should be redirected to your Identity Provider's login page. After authenticating, you should be logged in to 21RISK automatically.
If you encounter issues, verify the following:
- The ACS URL and Entity ID in your IdP match exactly what 21RISK shows
- The Name ID in the SAML assertion contains the user's email address
- The email address matches an existing user in 21RISK
- The certificate is pasted correctly — base64 only, no headers, no extra whitespace
Certificate rotation Certificate rotation
With a manual SAML configuration, you are responsible for updating the certificate when your Identity Provider rotates it. If the certificate expires or is replaced, SAML login will stop working until you paste the new one in 21RISK.
Tip: If you are using Microsoft Entra ID, consider switching to the Microsoft Entra ID provider type in 21RISK — it supports automatic certificate management via the Federation Metadata URL.
If you need help setting up SAML, contact support@21risk.com .