diff --git a/core/core-frontend/src/assets/svg/icon_file_pem_colorfull.svg b/core/core-frontend/src/assets/svg/icon_file_pem_colorfull.svg
new file mode 100644
index 0000000000..2cdd8f50bb
--- /dev/null
+++ b/core/core-frontend/src/assets/svg/icon_file_pem_colorfull.svg
@@ -0,0 +1 @@
+<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg t="1758852916058" class="icon" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="2707" xmlns:xlink="http://www.w3.org/1999/xlink" width="256" height="256"><path d="M160 128a64 64 0 0 1 64-64h384.128L864 320v576a64 64 0 0 1-64 64H224a64 64 0 0 1-64-64V128z" fill="#63CF6A" p-id="2708"></path><path d="M863.68 320H656A48 48 0 0 1 608 272V64.32L863.68 320z" fill="#B8F9BC" p-id="2709"></path><path d="M572.928 681.216h33.024l63.744 146.432h0.768l63.488-146.432h33.024V864h-27.904v-130.56h-1.024L681.984 864h-24.064l-56.064-130.56h-1.024V864h-27.904v-182.784zM408.928 681.216h131.328v23.808H436.8v53.248h97.28v23.808h-97.28v58.112h107.776V864h-135.68v-182.784zM241.92 681.216h75.776c43.52 0 65.28 18.432 65.28 55.552 0 37.376-22.016 56.064-65.792 56.064h-47.36V864H241.92v-182.784z m27.904 23.808v64h45.568c13.824 0 23.808-2.56 30.208-7.68 6.144-5.12 9.472-13.312 9.472-24.576 0-11.264-3.328-19.456-9.728-24.064-6.4-5.12-16.384-7.68-29.952-7.68H269.824z" fill="#FFFFFF" p-id="2710"></path></svg>
\ No newline at end of file
diff --git a/core/core-frontend/src/locales/en.ts b/core/core-frontend/src/locales/en.ts
index dc71cffbba..5bdd7aa906 100644
--- a/core/core-frontend/src/locales/en.ts
+++ b/core/core-frontend/src/locales/en.ts
@@ -620,6 +620,8 @@ export default {
     field_mapping: 'Field Mapping',
     oauth2name:
       'For example: {\'{\'}"account": "oauth2Account", "name": "oauth2Name", "email": "email"{\'}\'}',
+    saml2name:
+      'For example: {\'{\'}"account": "saml2Account", "name": "saml2Name", "email": "email"{\'}\'}',
     oidc_settings: 'OIDC Settings',
     test_mail_recipient: 'Only used as a test email recipient',
     to_enable_ssl: 'If the SMTP port is 465, you usually need to enable SSL',
diff --git a/core/core-frontend/src/locales/tw.ts b/core/core-frontend/src/locales/tw.ts
index af300906df..47465d8282 100644
--- a/core/core-frontend/src/locales/tw.ts
+++ b/core/core-frontend/src/locales/tw.ts
@@ -600,6 +600,8 @@ export default {
     field_mapping: '字段映射',
     oauth2name:
       '例如：{\'{\'}"account": "oauth2Account", "name": "oauth2Name", "email": "email"{\'}\'}',
+    saml2name:
+      '例如：{\'{\'}"account": "saml2Account", "name": "saml2Name", "email": "email"{\'}\'}',
     oidc_settings: 'OIDC設定',
     test_mail_recipient: '僅用來作為測試郵件收件者',
     to_enable_ssl: '如果SMTP連接埠是465 ，通常需要啟用SSL',
diff --git a/core/core-frontend/src/locales/zh-CN.ts b/core/core-frontend/src/locales/zh-CN.ts
index 46199bc13b..62e3180752 100644
--- a/core/core-frontend/src/locales/zh-CN.ts
+++ b/core/core-frontend/src/locales/zh-CN.ts
@@ -603,6 +603,8 @@ export default {
     field_mapping: '字段映射',
     oauth2name:
       '例如：{\'{\'}"account": "oauth2Account", "name": "oauth2Name", "email": "email"{\'}\'}',
+    saml2name:
+      '例如：{\'{\'}"account": "saml2Account", "name": "saml2Name", "email": "email"{\'}\'}',
     oidc_settings: 'OIDC设置',
     test_mail_recipient: '仅用来作为测试邮件收件人',
     to_enable_ssl: '如果SMTP端口是 465 ，通常需要启用SSL',
diff --git a/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/XpackAuthenticationApi.java b/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/XpackAuthenticationApi.java
index c859a1f684..a92c4d9b19 100644
--- a/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/XpackAuthenticationApi.java
+++ b/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/XpackAuthenticationApi.java
@@ -81,6 +81,10 @@ public interface XpackAuthenticationApi {
     @PostMapping("/validate/oauth2")
     String validateOauth2(@RequestBody XpackOauth2VO editor);
 
+    @Operation(summary = "验证SAML2")
+    @PostMapping("/validate/saml2")
+    String validateSaml2(@RequestBody XpackSaml2VO editor);
+
     @Operation(summary = "验证")
     @PostMapping("/validateId/{id}")
     String validate(@PathVariable("id") Long id);
diff --git a/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/XpackSaml2Api.java b/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/XpackSaml2Api.java
index df422d593d..1ee34a1b16 100644
--- a/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/XpackSaml2Api.java
+++ b/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/XpackSaml2Api.java
@@ -2,6 +2,7 @@ package io.dataease.api.xpack.settings;
 
 import com.github.xiaoymin.knife4j.annotations.ApiSupport;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 
@@ -9,9 +10,12 @@ import org.springframework.web.bind.annotation.PostMapping;
 @ApiSupport(order = 899)
 public interface XpackSaml2Api {
 
-    @GetMapping("/login")
-    void saml2Login();
-
     @PostMapping("/sso")
-    void saml2Callback() throws Exception;
+    String sso();
+
+    @GetMapping(value = "/metadata", produces = MediaType.APPLICATION_XML_VALUE)
+    String metadata();
+
+    @GetMapping("/login")
+    void login();
 }
diff --git a/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/vo/XpackSaml2VO.java b/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/vo/XpackSaml2VO.java
index ae20026c3f..e06fa1718c 100644
--- a/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/vo/XpackSaml2VO.java
+++ b/sdk/api/api-base/src/main/java/io/dataease/api/xpack/settings/vo/XpackSaml2VO.java
@@ -2,14 +2,16 @@ package io.dataease.api.xpack.settings.vo;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.Data;
+import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.xmlsec.signature.X509Certificate;
 
 import java.io.Serializable;
 import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
 
 @Data
 public class XpackSaml2VO implements Serializable {
 
+    private String idpMetaUrl;
     private String spEntityId;
     private String spAcs;
 
@@ -17,15 +19,20 @@ public class XpackSaml2VO implements Serializable {
     private String idpEntityId;
     private String idpLogoutUrl;
 
+    private String privateKey;
+    private String certificate;
+
+    private String mapping;
+
 
     @JsonIgnore
     private PrivateKey spPrivateKey;
     @JsonIgnore
-    private X509Certificate spCertificate;
+    private BasicX509Credential spCertificate;
     @JsonIgnore
     private X509Certificate idpCertificate;
 
-    private int assertionValidityTime = 300; // 5分钟
+    private int assertionValidityTime = 300;
     private boolean wantAssertionsSigned = true;
     private boolean wantAuthnRequestsSigned = true;
 
diff --git a/sdk/common/pom.xml b/sdk/common/pom.xml
index 92d6c9f8dd..72b03a9282 100644
--- a/sdk/common/pom.xml
+++ b/sdk/common/pom.xml
@@ -11,7 +11,9 @@
 
     <artifactId>common</artifactId>
 
-
+    <properties>
+        <opensaml.version>3.4.6</opensaml.version>
+    </properties>
 
     <dependencies>
         <dependency>
@@ -136,6 +138,18 @@
             <version>${project.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.opensaml</groupId>
+            <artifactId>opensaml-core</artifactId>
+            <version>${opensaml.version}</version>
+        </dependency>
+
+        <!-- OpenSAML SAML Impl -->
+        <dependency>
+            <groupId>org.opensaml</groupId>
+            <artifactId>opensaml-saml-impl</artifactId>
+            <version>${opensaml.version}</version>
+        </dependency>
     </dependencies>
 
 </project>
diff --git a/sdk/common/src/main/java/io/dataease/result/ResultResponseBodyAdvice.java b/sdk/common/src/main/java/io/dataease/result/ResultResponseBodyAdvice.java
index ef2dc5a03c..da9aa40737 100644
--- a/sdk/common/src/main/java/io/dataease/result/ResultResponseBodyAdvice.java
+++ b/sdk/common/src/main/java/io/dataease/result/ResultResponseBodyAdvice.java
@@ -3,6 +3,7 @@ package io.dataease.result;
 import io.dataease.i18n.I18n;
 import io.dataease.i18n.Translator;
 import io.dataease.utils.JsonUtil;
+import org.apache.commons.lang3.ObjectUtils;
 import org.springframework.core.MethodParameter;
 import org.springframework.http.MediaType;
 import org.springframework.http.converter.HttpMessageConverter;
@@ -32,6 +33,10 @@ public class ResultResponseBodyAdvice implements ResponseBodyAdvice<Object> {
             o = translate(o);
         }
 
+        if (ObjectUtils.isNotEmpty(mediaType) && MediaType.APPLICATION_XML_VALUE.equals(mediaType.toString())) {
+            return o;
+        }
+
         if (!(o instanceof ResultMessage)) {
             ResultMessage resultMessage = ResultMessage.success(o);
             if (o instanceof String) {