> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Wallix Trustelem SSO (SAML)

> Use Wallix Trustelem SAML to secure access to ngrok endpoints with single sign-on.

<Note>
  This guide refers to using SSO to authenticate access to your **endpoints**. You cannot use these instructions to set up SSO for logging into your ngrok account in the dashboard.
</Note>

This guide walks you through configuring Wallix Trustelem as the primary Identity Provider for ngrok tunnels using single sign-on (SSO).
By integrating Wallix Trustelem SSO with ngrok, you can:

* Restrict access to ngrok tunnels only to users authenticated via Wallix Trustelem
* Use Wallix Trustelem security policies and MFA authenticators
* Use Wallix Trustelem's Dashboard to facilitate access to ngrok apps

## What you'll need

* A Wallix Trustelem account with administrative rights to create apps.
* An ngrok Pay-as-you-go account with an authtoken or admin access to configure endpoints with SAML.

## 1. Configure Wallix Trustelem

* Access the WALLIX Trustelem administration console and sign in using your Trustelem account.
* On the **Dashboard** page, click **Apps** on the left menu, click **Add an application** and click the **SAML 2 application** tile in the **Generic models** section.
* On the **Settings** popup, enter `ngrok saml` in the **Name** field, click **Save**, click **Download metadata files**, save the XML file on your desktop, and then click **Close**.

## 2. Configure ngrok

<Warning>
  The SAML Traffic Policy action is currently in [developer preview](/traffic-policy/actions/saml/). [Request access](https://dashboard.ngrok.com/developer-preview) to configure SAML via Traffic Policy.
</Warning>

Once you have developer preview access, create a `policy.yaml` file with the following content, replacing `YOUR_IDP_METADATA_XML` with the IdP metadata XML from Wallix Trustelem:

```yaml theme={null}
on_http_request:
  - actions:
      - type: saml
        config:
          idp_metadata: 'YOUR_IDP_METADATA_XML'
```

The SAML action generates your ngrok SP Entity ID and ACS URL based on your endpoint URL. Refer to the [SAML action documentation](/traffic-policy/actions/saml/) for how to retrieve these values to complete your IdP configuration.

## 3. Link Wallix Trustelem with ngrok

* On the WALLIX Trustelem administration console, click **Apps** on the left menu, and then click your application.
* On the **Settings** popup, click **Edit**, paste the **SP Entity ID** in the **EntityID** field and the **ACS URL** in the **Assertion Consumer Service** field.
  Retrieve both values from the [SAML action documentation](/traffic-policy/actions/saml/) (see [Configure ngrok](#2-configure-ngrok)).
* Click **Save**.

## 4. Start a tunnel

<Note>
  This step assumes you have an app running locally (for example, on `localhost:3000`) with the ngrok client installed.
</Note>

Run the following command, replacing `3000` with your local web app port and `YOUR_DOMAIN` with your ngrok domain:

```bash theme={null}
ngrok http 3000 --traffic-policy-file policy.yaml --url YOUR_DOMAIN
```

Copy the URL next to **Forwarding**. You use this URL to test the Wallix Trustelem authentication.

## Grant access to Wallix Trustelem users

Wallix Trustelem allows their users to access SAML-integrated apps.
To create a user, follow the instructions below:

* On the left menu of the WALLIX Trustelem administration console, click **Users** and then click **Create User**.
* Enter values for **First Name**, **Last Name**, and **Primary Email** fields, and then click **Save**.

## Test the integration

* In your browser, launch an incognito window.
* Access your ngrok tunnel (for example, `https://trustelem-sso-test.ngrok.app` or using the copied endpoint URL).
* You should be prompted to log in with your Wallix Trustelem credentials.
* After logging in, you should be able to see your web app.
