The SAML 2.0 Integration in Timus Manager allows you to configure secure, standards-based Single Sign-On (SSO) for users authenticating via identity providers such as Okta, JumpCloud, or Microsoft Entra ID. This enables your organization to enforce consistent identity policies while simplifying access to Timus applications.

Timus supports multiple SAML integrations per tenant. The integration card displays the number of active configurations, and each can define its own access scope and remote access permissions.

What This Integration Enables

• Enable SSO via your preferred Identity Provider (IdP)
• Allow users to sign in to Timus applications using their corporate SAML credentials
• Control access to specific sites per integration
• Optionally enforce encrypted SAML assertions
• Provision users automatically on first login through the IdP

How to Set Up a SAML Integration

1. Navigate to Settings → Integrations → SAML 2.0
2. Click Manage to open the integrations list

3. Click Create New to open the configuration form

Configuration Fields

You can define different Allowed Sites and Remote Access settings per SAML integration to support flexible, identity-based access policies.

Provider-Specific Setup Guides

To complete the setup process, refer to the guide matching your Identity Provider:

• SAML Integration for Okta AD
• SAML Integration for JumpCloud
• SAML Integration for Microsoft Entra ID

Each guide includes:

• Application registration steps
• Metadata configuration (Identifier, Service URL, X.509 Certificate)
• Attribute & claim mapping
• Tips for encryption and login verification

Attribute Mapping

Ensure your Identity Provider maps the following attributes to enable accurate user provisioning:

• nameID – Email address (used as the unique user ID in Timus)
• firstname – User’s first name
• lastname – User’s last name

These attributes are required for displaying user identity properly in the Timus Manager and for enforcing user-based access rules.

Assertion Encryption (Optional)

If you enable the Require Encrypted Assertions checkbox:

• Timus will reject unencrypted SAML responses
• Your IdP must encrypt assertions using Timus's public key
• The decryption key is securely managed inside the Timus platform

Only activate this setting if encryption is supported and configured correctly on both sides.

First-Time Sign-in Behavior

• Users must initiate login from your IdP’s SAML app
• This initial login creates the user profile in Timus
• Attempting to sign in directly via Timus without prior SAML login will result in failure

It may take up to 30 minutes for a new integration to fully sync, depending on group complexity and user volume.

Notes

• Identifier and SAML Service URL must be unique per SDN
• Reusing credentials across SDNs will trigger a validation error
• SAML-based user creation does not trigger the Connect Agent download email:
  • Downloads are available under Settings → Downloads or via my.timusnetworks.com
  • You can use RMM tools to silently deploy the Connect agent

Support & Troubleshooting

If users are unable to log in:

• Check the SAML response payload for:
  • Correct Identifier and Audience values
  • Matching Assertion Consumer Service (ACS) URL
  • Valid certificate and active signature
  • Required attributes (nameID, firstname, lastname)
• Use the appropriate Timus ACS URL:
  • Production: https://auth.timuscloud.com/user/external/saml
  • Beta: https://auth-beta-us-01.timuscloud.com/user/external/saml

SAML Integration for Okta AD

SAML Integration for Microsoft Entra ID (Azure AD)

SAML Integration for JumpCloud

Updated July 15, 2025 03:02