Endpoints
All public endpoint URLs use https://<domain> where <domain> is the configured PassBeyond domain.
Public SAML endpoints
| Path | Typical method | Purpose |
|---|---|---|
/saml/metadata | GET | Service Provider metadata with SAML metadata content type |
/saml/metadata.xml | GET | Equivalent SP metadata variant with XML content type |
/saml/acs | POST | Assertion Consumer Service receiving the IdP's SAML response |
/saml/slo | GET or POST | Local and SAML Single Logout handling |
/saml/certificate.crt | GET | Public PEM certificate for SAML signing and optional assertion encryption |
The Entity ID is always:
text
https://<domain>/saml/metadataInternal reserved paths
| Path | Purpose |
|---|---|
/__passbeyond-redirect | Starts or resumes the authentication flow and returns to a validated source URL |
/__passbeyond/ | Friendly error pages, styles, fonts, and other embedded static resources |
Do not create backend routes under /saml/ or /__passbeyond/; PassBeyond handles these before its catch-all backend proxy.
No health endpoint
PassBeyond currently has no dedicated health or readiness route. /saml/metadata.xml can verify basic HTTP availability, but an end-to-end login and backend request are needed to verify the complete system.