If you're an administrator of a team subscribed to the Cronitor Business plan, you can enable single sign-on (SSO) for your team using any SAML2 identity provider.
With SSO enabled, Cronitor will authenticate using your trusted identity provider and you can optionally disable password-based login for all team members.
Prepare your identity provider
To get started, follow the documentation for your identity provider to add a new SAML2 integration. Here's what you will need to know to configure your IdP:
- Cronitor expects a
nameId
format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Attributes for
firstName
and lastName
are accepted, and these are required when using JIT user creation
- An optional
role
attribute is accepted, which should map to a valid Cronitor account role: readonly
, user
or admin
- Only SAML2 is supported, with
HTTP-Redirect
binding for SP to IdP and HTTP-POST
binding for IdP to SP.
- The assertion consumer service post back URL is
https://cronitor.io/auth/saml/acs/ENCODED-USER-ID-HERE
- Cronitor SAML metadata is available at https://cronitor.io/auth/saml/metadata
You will need three things from your identity provider for the next step:
- A sign-in URL
- The entityId (This is often the IdP metadata URL or Azure AD Identifier)
- An x509 certificate
Enabling SSO for your team
After logging into Cronitor as an administrator, navigate to the
Team Settings page.
Click the Configure SSO button to add your identity provider details to Cronitor.
Note: If the button is not clickable, single sign-on is not available on your current plan.
Paste the sign-in URL copied from your identity provider into the Sign-in URL field.
Paste the entity id copied from your identity provider into the entity id field. (This is often the IdP metadata URL. If you are using Azure, it is the 'Azure AD Identifier')
Paste the contents of the x509 cert from your identity provider. If you were given the cert as an attachment,
open it in a simple text editor like Notepad or TextEdit.
After saving these required details, you will be able to test an IdP initiated sign-in flow.
Toggle the Password Authentication control to disabled when you are ready to disable password authentication and use SSO for your team.
After disabling password authentication, leave yourself logged-in and immediately test your SAML login from another browser. Return to the SAML settings and re-enable password authentication if your tests are unsuccessful.
- Configure your Just-in-Time (JIT) user account provisioning. By default, this feature is enabled, and new users will be created with user level access. You have the option to disable this feature or choose a different default access level. The default access level will be used if a valid
role
attribute is not provided.
You're done!
Troubleshooting
If you have difficulty configuring or using SAML single sign-on, please contact support@cronitor.io.