What it provides and what is required
SAML2 lets users sign in to the Stream site with their organization account (for example Microsoft 365), without a separate system password – according to organizational policy.
- Administrator access to the System settings page (
/admin/settings) is required. - The system uses SimpleSAMLphp as the SAML service provider (SP) named
default-sp. - You must generate an SP certificate, provide SP metadata to the identity provider (or fill fields manually), then upload IdP metadata here (XML file).
Before you start: HTTPS and site URL
In General settings, ensure Stream URL (the public base URL of the site) is set with https:// and without a trailing slash (or according to organizational settings). This URL is also used for internal actions such as downloading metadata from the server.
Settings in the admin interface (Stream)
Go to System Settings (/admin/settings) and follow these steps in order:
1. Enable SSO
In Advanced settings, check Allow SSO authentication (allow_sso_auth) to let users use the single sign-on path (depending on how the sign-in button is shown on the site).
2. SAML2 connection area
- Generate certificate (SP) – creates a private key and certificate (
saml.pem,saml.crt) insaml2/cert/and updatesauthsources.php. Without this step there will be no valid metadata to provide to the IdP. - Download SP metadata – downloads the service provider (SP) XML file to enter in the identity provider (for example upload to an Entra ID app), or extract the Entity ID and ACS URL from it.
- Upload metadata (IdP) – after the identity provider is configured, download its metadata XML file and upload it here. The file is saved and the system updates the remote metadata file (
saml20-idp-remote.php) and the IdP link inauthsources.php.
At the top of the area, status is shown (certificate, configuration, whether the IdP is connected). After uploading IdP metadata, status should indicate a full connection.
Technical URLs (SP) for copy
Replace https://your-domain.example with your production URL (with https).
| Role | Typical path |
|---|---|
| SP metadata (public XML) | …/saml2/public/module.php/saml/sp/metadata.php/default-sp |
| ACS (Reply URL) – receiving SAML response | …/saml2/public/module.php/saml/sp/saml2-acs.php/default-sp |
| Single logout (SLO), if required | …/saml2/public/module.php/saml/sp/saml2-logout.php/default-sp |
| Site sign-in (SP-initiated) | https://your-domain.example/sso.php |
SP entity ID: usually in the form https://your-domain.example/ (with trailing slash), according to the request to the server when metadata is created. Exact values appear in the XML file you downloaded.
Example full metadata URL:
https://your-domain.example/saml2/public/module.php/saml/sp/metadata.php/default-sp
Connection in Microsoft Entra ID (Microsoft 365)
The following steps match the common Entra ID workflow for creating a SAML application and can be combined with your organization's internal Azure guide (including detailed screenshots there).
1. Create an enterprise application
- In the Azure portal: Microsoft Entra ID → Enterprise applications → New application.
- Choose Create your own application, give it a name (for example Stream – SAML), and select a SAML / single sign-on integration – according to portal options.
2. SAML configuration – Entra side (basic)
In the selected application: Single sign-on → SAML.
- Upload SP metadata – if Entra allows file upload, use the XML file downloaded from Stream ("Download SP metadata"). This fills many fields automatically.
- Or manual entry (Basic SAML Configuration):
- Identifier (Entity ID) – as shown in SP metadata (usually
https://your-domain.example/). - Reply URL (Assertion Consumer Service URL) – ACS URL from the table above.
- Sign on URL – sometimes required for SP-initiated sign-in; try
https://your-domain.example/sso.phpif the interface requires a value.
- Identifier (Entity ID) – as shown in SP metadata (usually
- Save the settings.
3. Download IdP metadata for Stream
On the same SAML screen, download Federation Metadata XML (sometimes labeled "Certificate" or "Download Federation Metadata").
Return to Stream → System Settings → SAML2 connection → Upload metadata (IdP) and upload the file.
4. Assign users
In Entra: in the application → Users and groups → add users or groups allowed to sign in through the application.
Identifiers and claims – Microsoft 365
When the identity provider is Microsoft Entra ID, the system can identify the response using typical claims (including tenant ID). To fill the user profile, the system uses among others:
- Email address
- First and last name
- Username / unique identifier
In Entra ID, under User Attributes & Claims, ensure claims sent in the SAML token include at least email and name – according to organizational policy. If a claim is missing, the user may not be identified or a partial account may be created.
An existing Stream user is matched by email address; if no user with the same email exists, the system may create a new user (according to registration and activation settings on the site).
Testing and troubleshooting
- Open a private browsing window and go to
https://your-domain.example/sso.php– you should be redirected to organizational sign-in and then back to the site. - If SP metadata download fails with an error, check that the site base URL is set to HTTPS and that the SimpleSAMLphp public file is accessible from the server.
- If Entra returns a SAML error, verify the Reply URL and Entity ID exactly against the SP XML file.
- Ensure the Entra application is assigned to the test user.
For a quick link to general system settings: System settings guide.