SAML is an XML-based open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). Meridian acts as the SP — your customer's Okta, Entra ID, or PingFederate instance is the IdP.
The three roles
- Principal — the user trying to log in.
- Identity provider — authenticates the principal and issues a signed SAML assertion.
- Service provider — Meridian. Consumes the assertion and establishes a session.
SP-initiated flow
- User clicks “Sign in with SSO” in Meridian.
- Meridian generates a SAML AuthnRequest and redirects the browser to the IdP.
- IdP authenticates the user (password, MFA, etc.).
- IdP POSTs a signed SAML Response back to Meridian's ACS URL.
- Meridian validates the signature, extracts attributes, and creates a session.
Assertion Consumer Service URL
https://api.getnimbus.net/v1/sso/saml/acsThis is the endpoint the IdP POSTs to. It must be reachable from the IdP's network.
What Meridian validates
- XML signature against the IdP's public certificate.
- NotBefore / NotOnOrAfter time window.
- AudienceRestriction matches our entity ID.
- Recipient matches the ACS URL.
- InResponseTo matches the original AuthnRequest ID.
Metadata exchange
Meridian exposes an XML metadata document at /v1/sso/saml/metadata. Give this URL to your IdP admin. It contains our entity ID, ACS endpoint, and signing certificate requirements.
Next step
Ready to configure? Head to the Entra ID walkthrough or Okta setup guide.