How to Configure SAML Single SSO with Your IdP
    • Dark
      Light
    • PDF

    How to Configure SAML Single SSO with Your IdP

    • Dark
      Light
    • PDF

    Article summary

    If you upgraded from Solve
    If you previously accessed your organization from solve.controlup.com and upgraded to app.controlup.com, you must enable either LDAP or SAML in Solve to use SAML in DEX.

    Depending on when you upgraded, you might see an additional setting to switch between Use migrated SAML settings and Use DEX SAML settings. Read the upgrade guide to learn about this setting.

    This article describes how to enable SAML SSO authentication for ControlUp's DEX platform (app.controlup.com).

    To access SAML settings, go to Global Settings > SAML Single Sign-On. 

    Key features

    • Automatic user account provisioning - When a new user signs in with SAML for the first time, their ControlUp account is automatically created and assigned the Default Role configured in your ControlUp SAML settings page. If you don't want to allow users to sign in and automatically create ControlUp accounts, you can restrict access to ControlUp in your IdP settings.
    • Assign user roles based on IdP group membership - Click here for details on how this works and how to set it up. 
    • Support for multiple ControlUp organizations - You can use SSO for multiple ControlUp organizations using the same IdP tenant by setting a unique identifier for each organization. To do this, add a unique string to the end of the Relying Party Trust Identifier field in the DEX SAML settings page for each organization.
    • SP-initiated or IdP-initiated SSO - Read Sign in with SAML below for details

    Sign in with SAML

    Make sure SAML is allowed as a login method
    You must enable SAML SSO as an allowed login method in your ControlUp organization. Learn how to allow login methods.

    After you have configured SAML using the steps below, you can sign in to your organization using SAML by either:

    • Direct SAML URL (https://app.controlup.com/<yourOrgName>/saml)
    • Clicking the With SAML login method on your organization login page.
    • IdP-initiated SSO. You can sign in to your Identity Provider's page and then select the ControlUp application to sign into ControlUp with SSO. Note that to use IdP-initiated SSO, you must add the attribute orgurl to your SAML assertion. Read Configure User Attributes in Your IdP for more details.

    Steps to configure SAML SSO with your IdP

    This section descibes how to set up SAML SSO with any IdP. If your IdP is listed below, you can read the article specific to your IdP. Please refer to your IdP's documentation for more details:

    Tip: Import and export metadata files to make your SAML configuration easier
    If your IdP supports it, you can import and export XML metadata files between ControlUp and your IdP. If you do this, you can skip steps 1 and 2 below.


    Step 1 - Configure settings in ControlUp

    This table lists fields that you need to fill out in the ControlUp SAML settings page.

    Field in ControlUp SAML settingsRequiredNotes
    IdP Login URLYesCopy the login URL from your IdP and paste it here.
    Your IdP might call this:
    • Login URL
    • Single sign on URL
    IdP Logout URLNoif you want to use single log out (SLO), copy the logout URL from your IdP and paste it here. SLO is not supported on all IdPs.
    Your IdP might call this:
    • Logout URL
    • Single log out URL
    IdP Signing CertificateYesDownload the X.509 signing certificate from your IdP and upload it here.

    Note: You must ensure that your IdP uses the certificate to sign the SAML assertion.
    Entity/Issuer IDYesCopy the entity/issuer ID from your IdP and paste it here.
    Your IdP might call this:
    • Entity ID
    • Issuer ID
    • Issuer URL
    • Azure AD Identifier
    Default RoleYesSet the default role assigned to ControlUp accounts automatically provisioned when a new user signs in with SAML. You can select from the default roles or a custom role.

    For added security, we recommend that you set the default role to one with limited permissions, such as Viewer. Learn more about permissions.

    Step 2 - Configure settings in your IdP

    This table lists the fields that are already filled out in your ControlUp SAML settings page. You need to take the information from these fields and add it in your IdP.

    Field in ControlUp SAML settingsRequiredNotes
    Relying Party Trust IdentifierYesCopy this value from ControlUp SAML settings and paste it into your IdP.
    Your IdP might call this:
    • Identifier
    • Entity ID
    • Relying Party Identifier
    • Audience URI

    If you want to sign in with SAML to multiple ControlUp organizations using the same IdP tenant, edit this value to make it unique for each organization.

    Endpoint Assertion/Login URLYesCopy this value from ControlUp SAML settings and paste it into your IdP.
    Your IdP might call this:
    • Reply URL
    • Assertion Consumer Service (ACS) URL
    • Trusted URL
    • Single sign on URL
    Assertion Logout URLNoIf you want to use single logout (SLO), copy this value from ControlUp SAML settings and paste it into your IdP.
    Signing CertificateIf it is required by your IdPIf your IdP requires it, download the X.509 certificate from ControlUp and upload it to your IdP.

    Azure AD, Okta, and DUO for example, do not require that you upload this certificate.

    Step 3 - Configure User Attributes in Your IdP

    Do you use a Real-Time DX version lower than 9.0?
    The attribute table below is updated for version 9.0. If you use an lower version, click here to see the attributes.
    NameID
    A NameID is not required. However, if a NameID is included in the SAML assertion, then it overrides the UPN attribute from the attribute statement. If your IdP requires you to send a NameID, you must configure it to send the user's UPN.

    Configure your IdP to send the following attributes:

    Attribute NameRequiredNotes
    emailaddress OR
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    YesThe user's email address. Used to identify the user's ControlUp account.
    givenname OR
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    YesThe user's first name.
    surname OR
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    YesThe user's last name.
    upn OR
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn OR http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    NoThe user's UPN. Required only if you use LDAP to authorize to the VDI & DaaS web UI. Learn more about accessing the VDI & DaaS web UI.
    sAMAccountNameNoThe user's sAMAccountName. Required only if you use LDAP to authorize to the VDI & DaaS web UI. Learn more about accessing the VDI & DaaS web UI.
    distinguishedNameNoThe user's distinguished name. Required only if you use LDAP to authorize to the VDI & DaaS web UI. Learn more about accessing the VDI & DaaS web UI.
    orgurlNoThe name of your ControlUp organization. This is required only to use IdP-initiated SSO. For example, if you access your ControlUp from app.controlup.com/acmeorg, configure this attribute to send "acmeorg".
    userGroups OR groupsNoThe names or IDs of IdP user groups. Used for assigning roles to ControlUp users based on IdP groups
    emailNoThe ID of the user's ControlUp account (in the format something@example.xyz).

    You can use this attribute to sign in with a user that doesn't have an email address. For details, visit How to Sign in With a SAML User That Doesn't Have an Email Address.

    Troubleshooting

    • You might get an error when you try to access your VDI & DaaS environment saying  "Your account <accountName> doesn't have permission to access the VDI & DaaS web console. Ask your ControlUp Admin to give you permission to Use Web Application." If you have confirmed that your account has the permission and you are still getting the error, reboot your ControlUp Monitors and try again.

    Was this article helpful?