Skip to content

Single Sign-on

Single Sign-on provides an organization the ability to offer their own third-party authentication provider for an account, without having to create new credentials (usernames/passwords) on the platform.

This provides an extra layer of security for an organization's account.

The SAML 2.0 protocol is supported.

Only SP-initiated SSO is supported. IdP-initiated SSO is not supported.

In addition to the diagrams below, you can also reference the AWS Cognito documentation .

Custom SAML 2.0 Provider

Account administration (accountAdmin abac policy) allows an administrator to configure external SAML providers for login into the platform.

Navigate to Left Menu > Account > Auth Clients to see the currently configured Authentication Clients.

Example configuration for customer123 account

This example is for an organization leveraging Shibboleth IdP

  • Callback URLs:
  • Signout URLs:
  • Metadata document URL:
  • Email attribute mapping: urn:oid:0.9.2342.19200300.100.1.3
  • Name attribute mapping: urn:oid:2.16.840.1.113730.3.1.241

SSO Configuration

Example user/browser flow

SSO Flow

Example URLs and parameters, using Okta for the IdP:


Last update: 2020-06-11