Already a NinjaOne customer? Log in to view more guides and the latest updates.

NinjaOne Identity Access Management (IAM): About IDP-Initiated Security Assertion Markup Language (SAML)

  • Last Updated December 16, 2025

Topic

This article explains how to enable an IDP (identity provider) initiated login with SAML for NinjaOne. 

Environment

NinjaOne Identity Access Management (IAM)

Description

IDP-initiated SAML login is now supported by NinjaOne. There are a few things to consider when enabling this option.

  • IDP-initiated SAML: This is a new option offered by NinjaOne. You can use an IDP (whether via an icon from an Application Catalog or direct link) to log in to NinjaOne. Your IDP may or may not require multi-factor authentication (MFA), based on the Bypass MFA configuration.
  • SP-initiated SAML: This option was previously supported by NinjaOne. You would access NinjaOne first and were redirected to your IDP to login, and then you would navigate back to NinjaOne. 

By default, IDP-initiated SAML is disabled for existing and new NinjaOne IDP configurations. To perform IDP-initiated logins, enable the Enable IdP-initiated login toggle switch when configuring your IDP. When this option is disabled and you attempt an IDP-initiated login, you will see a generic error on the login page. Submit the Incident ID to NinjaOne Support to resolve the specific reason for the error.

enable IDP-initiated login.png
Figure 1: Enable IdP-initiated login (click to enlarge)

Index

Create a New Unique Identifier for Identity Provider Configurations

When configuring a new IDP in NinjaOne, you will see a new Unique identifier included. The purpose of this Unique identifier is to allow the creation of new NinjaOne from different divisions in the same IDP (if you have multiple divisions). The Unique identifier will always be the same for the same division. It will be included at the end of the SP identifier and Reply URL(s).   

Any existing IDP configurations created prior to release version 10.0.0 will not use a Unique identifier, so any existing setup will continue to work as it does prior to release 10.0.0. Only newly created IDPs will include the Unique identifier. If you need a Unique identifier included in an existing IDP configuration, you must remove and recreate the configuration.
IDP_unique id_highlight.png
Figure 2: Unique identifier inclusion example

IDP-initiated SAML Configuration for Branded Divisions

If you want the IDP-initiated login to use a branded URL, set up your IDP application configuration to use the branded Assertion Consumer Service (ACS) URL as the default. You can use the following categories for guidance: 

Configuring a Branded URL for IDP-initiated in Entra

For the Reply URL (Assertion Consumer Service URL) in Azure, configure the URL you want IDP-initiated logins to land on to be the default. NinjaOne recommends that you configure both the native and branded ACS URLs to support SP-initiated from both starting points. 

azure saml config.png
Figure 3: Basic SAML configuration for Azure example → Reply URL

Additional Resources

To learn more about NinjaOne's identity services, refer to Identity Authentication and Management: Resource Catalog.

To learn more about enabling SAML for Okta, refer to Configuring NinjaOne SAML in Okta.

FAQ

Next Steps