Back to SSO Setup Options

Frequently Asked Questions

Concepts and configuration values that apply across all identity providers.

What are my Entity ID and Reply/ACS URL?

Every Atticus environment has a unique Entity ID and Reply/ACS URL that you'll enter into your identity provider when configuring SAML SSO. These values link your identity provider to your specific Atticus tenant.

The values for your environment are:

Entity ID

Reply/ACS URL

Values not provided. Your Entity ID and Reply/ACS URL haven't been supplied for this page. Please ask your Atticus account manager for the specific values for your environment before completing your SAML configuration.

For reference, the values follow this format:

  • Entity ID: https://ENVIRONMENT.atticus.tech
  • Reply/ACS URL: https://ENVIRONMENT.atticus.tech/api/v1/auth/sso/saml/callback/ORGANISATION_ID

Where ENVIRONMENT is your Atticus environment (e.g. app) and ORGANISATION_ID is a unique identifier issued to your organisation.

What should we use as the Name ID?

The Name ID (sometimes called the Unique User Identifier) is the value your identity provider sends to identify each user. Atticus stores this value to recognise the user on every subsequent sign-in, so it must be persistent — it should never change for a given user, even if their email, name, or username is updated.

We recommend setting the Name ID to a system-generated, internal identifier from your identity provider. The provider-specific guides use the following:

  • Okta: user.getInternalProperty("id") — Okta's internal user ID, configured via the Application username field with type Custom.
  • Microsoft Entra: user.objectid — the Entra Object ID.
  • Other providers: use the equivalent persistent, system-generated user ID (often labelled Object ID, UID, or Subject). Set the Name ID format to Persistent.
Why not email? Email addresses can change (name changes, domain migrations, mailbox rewrites). If the Name ID is the user's email and that email later changes, Atticus will treat the user as a new account and lose the link to their existing workspaces and history. A system-generated ID avoids this entirely.

Atticus uses the email attribute (sent separately, see below) as the human-readable identifier shown in the product. The Name ID is only used internally to link sign-ins to user records.

What is the external ID / employeeId claim?

In addition to the required claims, you may optionally send an external identifier — typically an Employee ID, Salary ID, or other organisational identifier from your HR or directory system. This is sent via an additional SAML claim named employeeId.

This is separate from the Name ID. Where the Name ID is a stable identifier private to the identity provider, the external ID is a value your organisation owns and uses elsewhere — useful for reconciling Atticus users against your HRIS or other internal systems.

The provider-specific guides include example mappings:

  • Okta: employeeIduser.employeeNumber
  • Microsoft Entra: employeeiduser.employeeid

If you would like to send an external identifier or have additional identifiers you'd like Atticus to capture, please discuss the use case with your Atticus account manager.

What attribute claims are required?

Your identity provider must send the following user attributes in every SAML assertion. These are required even if the value duplicates information already in the Name ID:

Attribute Name Description
first The user's given name.
last The user's surname.
email The user's primary email address. Required even if the Name ID is the same value.

The exact field name and source attribute will depend on your identity provider. Common mappings used in the provider-specific guides are:

  • Okta: user.firstName, user.lastName, user.email.
  • Microsoft Entra: user.givenname, user.surname, user.mail. Entra also requires the claim namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Check that your metadata includes the claims. A common issue is that identity providers export a generic federated metadata XML which doesn't include any configured claims. When sharing your metadata with Atticus, please confirm the file or URL reflects the claims you've configured.