Users & Security
Configuring SAML SSO
If you're a Cronitor team administrator, you can enable single sign-on (SSO) using any SAML2 identity provider, such as Okta, Azure AD, or Google Workspace, to simplify user access and enhance security.
Integrate w/ Identity Provider (IdP)
Step 1: Get Cronitor's SAML details
When configuring your identity provider, you'll need these Cronitor URLs:
| Parameter | Value |
|---|---|
| SAML Metadata URL | https://cronitor.io/auth/saml/metadata |
| Assertion Consumer Service URL | https://cronitor.io/auth/saml/acs/ENCODED-SAML-ID |
Step 2: Configure your Identity Provider (IdP)
Use these settings when setting up the SAML integration:
| Setting | Value |
|---|---|
| NameId Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| SAML Protocol | SAML2 with HTTP-Redirect (SP to IdP) and HTTP-POST (IdP to SP) |
Attributes
| Attribute | Purpose | Required? |
|---|---|---|
firstName | User's first name | Required for JIT user creation |
lastName | User's last name | Required for JIT user creation |
role | User's access level: readonly, user, or admin | Optional |
Step 3: Gather information from your IdP
Before moving to the next section, collect these three items from your identity provider:
| Required Item | Description | Examples |
|---|---|---|
| SSO Login URL | The SAML login endpoint | https://yourcompany.okta.com/app/... |
| Entity ID | IdP identifier | Often the metadata URL or Azure AD Identifier |
| x509 Certificate | Public certificate for signature validation | PEM-formatted certificate |
Enable SSO in Cronitor
Step 1: Access SSO configuration
Log into Cronitor as an administrator, navigate to Team Settings, and click the "Configure SSO" button to begin setup.
Note: If the button is disabled, ensure your team is subscribed to the Business plan.
Step 2: Enter your identity provider details
Add the information you gathered from your IdP in the previous section:
| Field | Instructions |
|---|---|
| SSO Login URL | Enter the login URL provided by your identity provider (IdP). |
| Entity ID | Enter your identity provider's unique Entity ID or metadata URL. |
| X.509 Certificate | Paste the full certificate text provided by your IdP (open .cer or .pem files in a text editor). |
Step 3: Configure User Provisioning (Optional)
You can optionally enable Just-in-Time (JIT) provisioning, which automatically creates a Cronitor user account when someone signs in through your identity provider for the first time.
| Setting | Options | Default | Description |
|---|---|---|---|
| JIT Provisioning | Enabled / Disabled | Enabled | Automatically create Cronitor user accounts on first login |
| Default Role | readonly, user, admin | user | Default user role if the identity provider doesn't specify one |
Step 4: Test Your SAML Integration
To verify your SSO configuration:
- Save your SAML configuration settings.
- Sign in through your identity provider's portal.
- Confirm successful authentication and access to your Cronitor account.
Step 5: Disable password authentication (optional)
- Keep yourself logged in during this process
- Test SAML login in another browser or incognito window
- Only disable password authentication after successful SAML testing
- Re-enable password auth immediately if SAML tests fail
Security Checklist
| ✓ | Action |
|---|---|
| [ ] | Test SAML login before disabling passwords |
| [ ] | Verify JIT provisioning creates accounts correctly |
| [ ] | Confirm role mapping works as expected |
| [ ] | Keep an admin account accessible during testing |
| [ ] | Document IdP configuration for future reference |