Skip to content

Endpoints

All public endpoint URLs use https://<domain> where <domain> is the configured PassBeyond domain.

Public SAML endpoints

PathTypical methodPurpose
/saml/metadataGETService Provider metadata with SAML metadata content type
/saml/metadata.xmlGETEquivalent SP metadata variant with XML content type
/saml/acsPOSTAssertion Consumer Service receiving the IdP's SAML response
/saml/sloGET or POSTLocal and SAML Single Logout handling
/saml/certificate.crtGETPublic PEM certificate for SAML signing and optional assertion encryption

The Entity ID is always:

text
https://<domain>/saml/metadata

Internal reserved paths

PathPurpose
/__passbeyond-redirectStarts or resumes the authentication flow and returns to a validated source URL
/__passbeyond/Friendly error pages, styles, fonts, and other embedded static resources

Do not create backend routes under /saml/ or /__passbeyond/; PassBeyond handles these before its catch-all backend proxy.

No health endpoint

PassBeyond currently has no dedicated health or readiness route. /saml/metadata.xml can verify basic HTTP availability, but an end-to-end login and backend request are needed to verify the complete system.

Released under the MIT License.