NetIQ and SAML 2.0

Setting up Zeplin with NetIQ Access Manager's Single Sign-On

Rian avatar
Written by Rian
Updated over a week ago

NetIQ Access Manager is an Identity Management server, usually located on-premise. Zeplin's SAML SSO is confirmed to work with NetIQ.

☝️ This feature is only available to teams on the Enterprise Plan.

Before you begin

NetIQ does not generate application details (needed by Zeplin) until it has Zeplin-generated values (which need NetIQ data to generate). You will need to contact us at to have us manually generate and supply your specific SSO URL and SP EntityID.

Make a note of the EntityID, X509Certificate, and SingleSignonService Location values in your NetIQ IdP metadata file. Your NetIQ IdP Metadata file is installation specific, but it should be of the form


  • Configure NetIQ from the NetIQ Administration Console.

  • Log in to Zeplin ( as an Owner or Admin for your Zeplin Organization

In NetIQ:

  • Click Devices > Identity Servers > Servers > Edit and select the SAML 2.0 tab.

  • Click New, then click Service Provider
    - Provider Type: General
    - Source: Manual Entry
    - Name: according to your company's standards

  • Click Next.

  • Select the Configuration tab, and click Attributes. Select New Attribute Set from the Attribute Set dropdown menu, and add a new Attribute:
    - Name: email
    - Name Format: leave blank / Unspecified
    - Attribute mapping: email (dependent on your backend directory store)
    and click Finish

  • Select the Metadata tab, and click Edit
    - Enter the SP EntityID we gave you into the NetIQ field Provider ID
    - Enter the SSO URL we gave you into the NetIQ field Post consumer URL
    - If you have a copy of Zeplin's Signing Certificate, browse to the file under Signing Certificate > Service Provider; otherwise, this can be obtained by re-importing the Zeplin metadata after configuring Zeplin.

  • Click the “Next” button then “Finish button.

In Zeplin:

  • From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab.

  • In the SAML 2.0 section, click on the “Enable” button

  • In the Zeplin popup:
    - Copy the string from the NetIQ Metadata field SSOService Location into the Zeplin field IdP SAML 2.0 Endpoint
    - Copy the string from the NetIQ Metadata field EntityID into the Zeplin field IdP Issuer.
    - Copy the string from the NetIQ Metadata field X509Certificate into the Zeplin field IdP Public Certificate

  • Click on the “Enable” button

  • Click on the “Download SAML 2.0 metadata” link.

Back in NetIQ:

Import the X.509 certificate. Click Devices > Identity Servers > Edit > SAML 2.0 > app name > Metadata and click Reimport on the View page, and upload the file just downloaded from Zeplin.

Confirm everything works!

Go to the Zeplin login page, and click the link that says Login with SSO (or go directly to Enter the email address of an existing Zeplin user. You should redirect to your NetIQ IdP to authenticate, then back to that user's Project page.

Your company may have policies in place that will require the Zeplin app to first be assigned to users. Usually, this is via an existing NetIQ user group that will need to be assigned to the Application. Select an appropriate group on the Application's Assignments tab, and assign the Zeplin application and specific users if required.

Finishing Up

  • When it is confirmed users can log in with SAML, you can restrict login to be via SAML only for all users in your domain by setting Require SSO on the AUTHENTICATION tab in Zeplin.
    - Don't Require: Users can continue to log in with username/password or SSO
    - Require for All Members: Users in your domain who try to log in with username/password will be redirected to your IdP instead.
    For safety, the Owner will still be able to log in using their username/password even if this option is set to Require.

  • You can specify a Session timeout. Zeplin will check with your IdP at the shorter period of this setting and the Session Duration as sent by your IdP (if it sends one) to verify the user is still authenticated.

  • You can choose to Allow inviting users from different domains. If not ticked, only users with an email address in your domain will be permitted to be invited to the Workspace.

Extra information for NetIQ users

  • NetIQ does not send a session duration value in its SAML assertion. Zeplin will expire and attempt re-authentication only at the duration set in the Session Timeout field (see the AUTHENTICATION tab in Zeplin’s Organization settings). The default value is to never log out the user.

  • NetIQ can sign the Assertion. Zeplin will enforce a valid signature against the NetIQ-generated IdP Public Certificate.

  • By default, NetIQ does not encrypt the Assertion. Zeplin will accept unencrypted assertions, and also assertions encrypted with the Zeplin-generated x.509 certificate (available from Zeplin Support). Zeplin can decrypt all of the ciphers that NetIQ supports.

Did this answer your question?