Configure SAML SSO


If you are an administrator of a Cronitor for Business account you can enable single sign-on (SSO) for your team using any SAML2 identity provider.

When SSO is enabled, Cronitor will authenticate using your trusted identity provider and password-based login will be disabled for all team members.

Prepare your identity provider

To get started, follow the documentation for your identity provider to add a new SAML2 integration. Cronitor service provider details:

  • Cronitor requests a nameId format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Optional firstName and lastName attributes are accepted.
  • Only SAML2 is supported, with HTTP-Redirect binding for SP to IdP and HTTP-POST binding for IdP to SP.
  • The assertion consumer service post back URL is https://cronitor.io/auth/saml/acs/ENCODED-USER-ID-HERE

Cronitor SAML metadata is available at https://cronitor.io/auth/saml/metadata

You will need three things from your identity provider for the next step:

  • A sign-in URL
  • The entityId (This is often the IdP metadata URL or Azure AD Identifier)
  • An x509 certificate

Enabling SSO for your team

  1. After logging into Cronitor as an administrator, navigate to the Account page

  2. Click the Single sign-on link to add your identity provider details to Cronitor. If you are redirected to an upgrade prompt, single sign-on is not available on your current plan.

  3. Paste the sign-in URL copied from your identity provider into the Sign-in URL field.

  4. Paste the entity id copied from your identity provider into the entity id field. (This is often the IdP metadata URL. If you are using Azure, it is the 'Azure AD Identifier')

  5. Paste the contents of the x509 cert from your identity provider. If you were given the cert as an attachment, open it in a simple text editor like Notepad or TextEdit.

  6. After saving these required details, you will be able to test an IdP initiated sign-in flow.

  7. Check the Require SSO box when you are ready to disable password authentication and use SSO for your team.

  8. After requiring SSO leave yourself logged-in and immediately test your SAML login in a private browsing window. Return to the SAML settings and uncheck this box to disable SSO if your tests are unsuccessful.

  9. You're done!

Troubleshooting

If you have difficulty configuring or using SAML single sign-on, please contact support@cronitor.io.