Skip to content

Authenticate using SAML 2.0

The Security Assertion Markup Language (SAML) configuration is now self-serviceable from the API Cloud Console. If you need access to the Cloud Console, please see Accessing the Trimble Cloud Console for details.

The general flow of a SAML login looks like this:

Self-service configuration

  1. Login to the API Cloud Console
  2. Select Identity Management

3. In the upper right-hand corner, select + Add Application 4. For Application type, select Application 5. Under Application details, fill in the information for your application 6. For Configurations, select Security Assertion Markup Language (SAML) and paste in your Service Provider (SP) Metadata

IDP metadata

  • Staging: https://stage.id.trimblecloud.com/saml/metadata
  • Production: https://id.trimble.com/saml/metadata

To simplify the integration process with the Trimble Identity System, SAML Request signing has been made optional for Service Provider (SP) configurations. This change offers greater flexibility for integrators while maintaining a high level of system security through enhanced validation measures.

Service Provider (SP) Registration Configuration

If you choose to submit unsigned SAML Requests, the following strict security requirements will be enforced to prevent replay attacks and ensure secure communication:

  1. Strict Assertion Consumer Service (ACS) URL Validation

    • For unsigned requests, the ACS URL in the SAML request must exactly match the registered ACS URL configuration in the Trimble Identity System. Any deviation will result in an error and the request will be blocked.
  2. Universal Protocol and Endpoint Restrictions

    • These restrictions apply to all SAML requests, whether signed or unsigned, to enforce the highest security standards:
      • HTTPS is Mandatory: Only HTTPS endpoints are allowed for production use to ensure secure communication.
      • Insecure Endpoints are Blocked: The system will block requests using:
        • HTTP protocol endpoints (e.g., http://app.example.com/saml/acs)
        • Localhost or local IP addresses (e.g., https://localhost:8080/saml/acs or https://127.0.0.1:8080/saml/acs)

Key Security Enhancements

  • Replay Attack Prevention: A time-based tracking mechanism is in place to prevent attackers from reusing the same SAML request (a “replay attack”).
  • IssueInstant Validation: The IssueInstant attribute in the SAML request is validated to ensure the request is not stale (too old) or future-dated, protecting against timing-related attacks.

By adhering to the new, stricter ACS URL validation and universal protocol restrictions, you can confidently integrate using unsigned requests while benefiting from a simpler setup and a security profile that is protected against common SAML vulnerabilities.