AWS SAML SSO Configuration is available as part of the Beamo Plan(s) Enterprise.
Learn how to get more out of Beamo with Plans and Packs.


This article details the necessary steps for using Beamo's SAML SSO with AWS as the Identity Provider.

Who can use this feature?

  Super Admin Site Manager Team Admin Surveyor Collab-
Setup SAML SSO check_mark_32.png minus_32.png minus_32.png minus_32.png minus_32.png minus_32.png

Setting up SAML SSO

Open SSO in Beamo

The SSO configuration is located in the Settings of Beamo.

  • Beamo → Settings → Security

Click “Enable SAML SSO” to start the process.


Create an AWS SSO Application

Note: Providers’ configuration instructions are outlined here. For more detailed configuration instructions, please contact the respective ID provider.

1. Open the AWS Console and navigate to the AWS SSO.

2. Select Applications and click Add application.

3. Underneath the search bar, select Add a custom SAML 2.0 application.

4. Give the application a Display name, e.g. Beamo.

5. Go to the section IAM Identity Center metadata.
This information is required at a later step. Take note of the:
     a. AWS SSO sign-in URL
     b. AWS SSO issuer URL
     c. AWS SSO certificate

6. Go to the section Application Properties.  Specify the login URL from which users will access Beamo under Application start URL.

7. Go to the section Application metadata.  Manually enter metadata values by clicking the [Edit] button.

Field Description

Application ACS URL

Set this field to the pre-generated Assertion Consumer Service (ACS) URL retrieved from the Beamo SSO configuration screen.

Application SAML audience

Set this field to the pre-generated SP Entity ID retrieved from the Beamo SSO Configuration screen.

 8. Click [Submit] and continue to add the details to your newly created application.

Attribute mapping

Navigate to the Attribute mappings tab and configure the following mappings:

User attribute in the application

Maps to this string value or user attribute in AWS SSO








Assigned users

Navigate to the Assigned users tab and select the [Assign users] button. You can assign users to the application on an individual level or by group.

Continue on to Beamo

The AWS Console-specific configurations are done. Continue on to Beamo to finish the configuration.

  • Service Provider Configuration defines the format of SAML requests.
  • Identity Provider Configuration defines the format to expect for SAML responses.

Service Provider Configuration

Configure the following fields according to the choices selected in the AWS Console during setup:

Field Description
Entity ID


Enter the AWS SSO issuer URL retrieved from the AWS SSO metadata section in the AWS Console.

Single Sign On Service URL

Enter the AWS SSO sign-in URL retrieved from the AWS SSO metadata section in the AWS Console.

Single Log Out URL

Enter the AWS SSO sign-out URL retrieved from the AWS SSO metadata section in the AWS Console.

X509 Public Certificate

Paste the retrieved Certificate, removing -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Extra spaces, carriage returns, and other extraneous characters will cause certification validation to fail.

Allowed domains

Specify the email domains which are allowed to authenticate with SAML SSO. Add one domain per field. If the users log in with, the domain to be entered is


Test & Save

After the tests are successful, [Save] the configuration, and SSO will be enabled.


Was this article helpful?
0 out of 0 found this helpful