Step by Step – Saba MFA and SSO with PhenixID Authentication Services


This document will guide you through the steps to provide Multi-factor authentication and Single-Sign-On to Saba, a learning management system (LMS), using PhenixID Authentication Services.

System Requirements

  • PhenixID Authentication Services 2.8 or higher
  • Saba administrator account credentials


1. Set up PhenixID Authentication Services as SAML IdP

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
    Make sure the User identifier attribute is set to the attribute where the mail address is stored.
  2. Download the SAML IdP metadata to a file named idp.xml

2. Configure Saba

    1. Login to with your Saba administrator account.
    2. Click Security in the admin console.
    3. Open System->SAML SSO Setup
    4. Click Setup SAML SSO
    5. Select microsite.
    6. Click Add and Configure
    7. Upload the idp.xml metadata file.
    8. Choose Configure SP tab.
    9. Select Basic and enter a entity alias value
    10. Click on Generate.
    11. Click on the Configure Properties tab
    12. Enable SAML SSO to true.
    13. Save
    14. Go to SAML SSO Setup
    15. Select your site
    16. Copy the Saba endpoint url value
    17. Construct the Saba entityID value by replacing subdomain and entity alias:

3. Add Saba SAML SP Metadata to PhenixID Authentication Services

  1. Create Saba SAML SP Metadata XML file. Use the template data below. Replace “ENTITY_ID” with the entityID constructed in previous step.
    Replace “ASSERTION_CONSUMER_LOCATION with the saba endpoint URL fetched in previous step.
    Place the text in a file using a text editor and save it as a xml file.

    <?xml version="1.0" encoding="UTF-8"?>
    <EntityDescriptor entityID="ENTITY_ID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    1. Example metadata:
      <?xml version="1.0" encoding="UTF-8"?>
      <EntityDescriptor entityID="" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
      <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  2. Upload the metadata file using this Federation Scenario.


  1. Open a web browser
  2. Browse to your Saba subdomain
  3. You should be redirected to the Idp (PhenixID Authentication Services)
  4. Authenticate
  5. You should be redirected back to G Saba
  6. You are now logged in to G Saba.


Use the SAML Tracer addon for Firefox to debug and trace the SAML messages.

Check PhenixID logs/server.log for errors.

Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID -