SAML SSO for DEX

This article describes how to enable SAML SSO authentication for ControlUp's DEX platform (app.controlup.com).

To access SAML settings, go to Settings > SAML Single Sign-On.

Key features

Automatic user account provisioning - When a new user signs in with SAML for the first time, their ControlUp account is automatically created and assigned the Default Role configured in your ControlUp SAML settings page. If you don't want to allow users to sign in and automatically create ControlUp accounts, you can restrict access to ControlUp in your IdP settings.
Assign user roles based on IdP group membership - Click here for details on how this works and how to set it up.
Support for multiple ControlUp organizations - You can use SSO for multiple ControlUp organizations using the same IdP tenant by setting a unique identifier for each organization. To do this, add a unique string to the end of the Relying Party Trust Identifier field in the DEX SAML settings page for each organization.
SP-initiated or IdP-initiated SSO - Read Sign in with SAML below for details.

Note: ControlUp SLO doesn’t support certification exchange.

Sign in with SAML

Make sure SAML is allowed as a login method

You must enable SAML SSO as an allowed login method in your ControlUp organization. Learn how to allow login methods. Select Sign in with SAML SSO from Login Methods

After you have configured SAML using the steps below, you can sign in to your organization using SAML by either:

Direct SAML URL (https://app.controlup.com/<yourOrgName>/saml)
Clicking the With SAML login method on your organization login page.
IdP-initiated SSO. You can sign in to your Identity Provider's page and then select the ControlUp application to sign into ControlUp with SSO. Note that to use IdP-initiated SSO, you must add the attribute orgurl to your SAML assertion. Read Configure User Attributes in Your IdP for more details.

Automatically set up SAML SSO

If you have set up an Entra ID integration for ControlUp authentication and authorization, you can click Automated setup to automatically set up SAML SSO with Entra ID. The automated setup creates a new application in Entra ID named 'ControlUp-SAML-<your organization name>' and configures the required user attributes. If you want to use optional features such as LDAP VDI authentication or IdP-initiated SSO, you'll have to manually add the extra attributes described in the manual steps below. The automated setup does not assign users or groups to the Entra ID application, so you must manually add your ControlUp users or groups to the Entra ID application after you perform the automated setup.

To use this feature, you must first add an Entra ID integration. You must grant the integration the permissions Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration to perform the automated SAML setup.
Configure automated SAML SSO setup

Manually configure SAML SSO with your IdP

This section describes how to manually set up SAML SSO with any IdP. If your IdP is listed below, you can read the article specific to your IdP. Please refer to your IdP's documentation for more details:

Tip: Import and export metadata files to make your SAML configuration easier

If your IdP supports it, you can import and export XML metadata files between ControlUp and your IdP. If you do this, you can skip steps 1 and 2 below. Import XML metadata files if IdP supports this

Step 1 - Configure settings in ControlUp

This table lists fields that you need to fill out in the ControlUp SAML settings page.

Field in ControlUp SAML settings	Required	Notes
IdP Login URL	Yes	Copy the login URL from your IdP and paste it here. Your IdP might call this: Login URL Single sign on URL
IdP Logout URL	No	if you want to use single log out (SLO), copy the logout URL from your IdP and paste it here. SLO is not supported on all IdPs. Your IdP might call this: Logout URL Single log out URL
IdP Signing Certificate	Yes	Download the X.509 signing certificate from your IdP and upload it here. Note: You must ensure that your IdP uses the certificate to sign the SAML assertion.
Entity/Issuer ID	Yes	Copy the entity/issuer ID from your IdP and paste it here. Your IdP might call this: Entity ID Issuer ID Issuer URL Azure AD Identifier
Default Role	Yes	Set the default role assigned to ControlUp accounts automatically provisioned when a new user signs in with SAML. You can select from the default roles or a custom role. For added security, we recommend that you set the default role to one with limited permissions, such as Viewer. Learn more about permissions.

Step 2 - Configure settings in your IdP

This table lists the fields that are already filled out in your ControlUp SAML settings page. You need to take the information from these fields and add it in your IdP.

Field in ControlUp SAML settings	Required	Notes
Relying Party Trust Identifier	Yes	Copy this value from ControlUp SAML settings and paste it into your IdP. Your IdP might call this: Identifier Entity ID Relying Party Identifier Audience URI If you want to sign in with SAML to multiple ControlUp organizations using the same IdP tenant, edit this value to make it unique for each organization.
Endpoint Assertion/Login URL	Yes	Copy this value from ControlUp SAML settings and paste it into your IdP. Your IdP might call this: Reply URL Assertion Consumer Service (ACS) URL Trusted URL Single sign on URL
Assertion Logout URL	No	If you want to use single logout (SLO), copy this value from ControlUp SAML settings and paste it into your IdP.
Signing Certificate	If it is required by your IdP	If your IdP requires it, download the X.509 certificate from ControlUp and upload it to your IdP. Azure AD, Okta, and DUO for example, do not require that you upload this certificate.

Step 3 - Configure User Attributes in Your IdP

Do you use a Real-Time DX version lower than 9.0?

The attribute table below is updated for version 9.0. If you use an lower version, click here to see the attributes.

NameID

A NameID is not required. However, if a NameID is included in the SAML assertion, then it overrides the UPN attribute from the attribute statement. If your IdP requires you to send a NameID, you must configure it to send the user's UPN.

Configure your IdP to send the following attributes:

Attribute Name	Required	Notes
`emailaddress` OR `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`	Yes	The user's email address. Used to identify the user's ControlUp account.
`givenname` OR `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`	Yes	The user's first name.
`surname` OR `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`	Yes	The user's last name.
`upn` OR `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` OR `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`	No	The user's UPN. Required only if you use LDAP to authorize to the VDI App. To learn more, see here.
`sAMAccountName`	No	The user's sAMAccountName. Required only if you use LDAP to authorize to the VDI App.
`distinguishedName`	No	The user's distinguished name. Required only if you use LDAP to authorize to the VDI App.
`orgurl`	No	The name of your ControlUp organization. This is required only to use IdP-initiated SSO. For example, if you access your ControlUp from app.controlup.com/acmeorg, configure this attribute to send "acmeorg".
`userGroups` OR `groups`	No	The names or IDs of IdP user groups. Used for assigning roles to ControlUp users based on IdP groups.
`email`	No	The ID of the user's ControlUp account (in the format something@example.xyz). You can use this attribute to sign in with a user that doesn't have an email address. For details, visit How to Sign in With a SAML User That Doesn't Have an Email Address.

Troubleshooting

You might get an error when you try to access your VDI & DaaS environment saying "Your account <accountName> doesn't have permission to access the VDI & DaaS web console. Ask your ControlUp Admin to give you permission to Use Web Application." If you have confirmed that your account has the permission and you are still getting the error, reboot your ControlUp Monitors and try again.