Configuring SAML SSO


If you're an administrator of a team subscribed to the Cronitor Business plan, you can enable single sign-on (SSO) for your team using any SAML2 identity provider.

With SSO enabled, Cronitor will authenticate using your trusted identity provider and you can optionally disable password-based login for all team members.

Prepare your identity provider

To get started, follow the documentation for your identity provider to add a new SAML2 integration. Here's what you will need to know to configure your IdP:

  • Cronitor expects a nameId format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Attributes for firstName and lastName are accepted, and these are required when using JIT user creation
  • An optional role attribute is accepted, which should map to a valid Cronitor account role: readonly, user or admin
  • Only SAML2 is supported, with HTTP-Redirect binding for SP to IdP and HTTP-POST binding for IdP to SP.
  • The assertion consumer service post back URL is https://cronitor.io/auth/saml/acs/ENCODED-USER-ID-HERE
  • Cronitor SAML metadata is available at https://cronitor.io/auth/saml/metadata

You will need three things from your identity provider for the next step:

  • A sign-in URL
  • The entityId (This is often the IdP metadata URL or Azure AD Identifier)
  • An x509 certificate

Enabling SSO for your team

  1. After logging into Cronitor as an administrator, navigate to the Team Settings page.

  2. Click the Configure SSO button to add your identity provider details to Cronitor.

    Note: If the button is not clickable, single sign-on is not available on your current plan.

  3. Paste the sign-in URL copied from your identity provider into the Sign-in URL field.

  4. Paste the entity id copied from your identity provider into the entity id field. (This is often the IdP metadata URL. If you are using Azure, it is the 'Azure AD Identifier')

  5. Paste the contents of the x509 cert from your identity provider. If you were given the cert as an attachment, open it in a simple text editor like Notepad or TextEdit.

  6. After saving these required details, you will be able to test an IdP initiated sign-in flow.

  7. Toggle the Password Authentication control to disabled when you are ready to disable password authentication and use SSO for your team.

  8. After disabling password authentication, leave yourself logged-in and immediately test your SAML login from another browser. Return to the SAML settings and re-enable password authentication if your tests are unsuccessful.

  9. Configure your Just-in-Time (JIT) user account provisioning. By default, this feature is enabled, and new users will be created with user level access. You have the option to disable this feature or choose a different default access level. The default access level will be used if a valid role attribute is not provided.

  10. You're done!

Troubleshooting

If you have difficulty configuring or using SAML single sign-on, please contact support@cronitor.io.