Single Sign-On (SSO)
Single Sign-On (SSO)
Centralize user authentication with your own identity provider
Single Sign-On (SSO) allows users to access Atlar through a single login managed by your identity provider.
Atlar supports SAML 2.0 to give you full control over security policies and user access.
How SSO works
- Users log in to Atlar using a unique SSO login URL for your organization.
This URL can be found under My Account → Your Organizations. - When users open the SSO login URL, they are redirected to your identity provider for authentication.
- If they are already logged in, no action is needed.
- If not, they are prompted to enter their credentials.
- After authentication, Atlar verifies membership and logs users in automatically.
- If they are not yet members, they must first be invited to the organization.
Things to know about SSO
- Once SSO is enabled, users cannot log in with passwords.
- Users must still be invited to the organization with a designated role.
- Changing a user’s email requires a new invitation.
- Only email addresses matching your allowed domains can log in.
- Users must be assigned to the identity provider’s SAML application for Atlar.
- Users can only log in using the SSO login URL (SP-initiated SSO).
IdP-initiated SSO is not supported, but most providers allow storing the SSO URL in their portal. - API integrations are unaffected and continue using the existing authentication methods.
Setting up SSO
To enable SSO, Atlar must configure your identity provider.
The process varies depending on your provider.
Step 1: Create a custom SAML application
Log in to your identity provider and create a new custom SAML app, naming it “Atlar”.
Upload a logo if supported:
Add Atlar service provider details
Field | Value |
---|---|
Assertion Consumer Service (ACS) URL | https://cognito.production.atlar.com/saml2/idpresponse |
Service Provider (SP) Entity ID | urn:amazon:cognito:sp:eu-central-1_8USGTETUo |
- Sometimes ACS is called Single Sign-On URL or Reply URL.
Use it also for Destination URL and Recipient URL if possible. - Enable SP-initiated SSO and Redirect Binding if supported.
Security options (optional)
Atlar can enable:
- Signed SAML requests – Atlar signs requests to your IdP.
- Encrypted SAML assertions – Your IdP encrypts all SAML assertions with a public key provided by Atlar.
Atlar will supply signing and encryption certificates if needed.
Attribute mapping
- Map the user’s primary email to an attribute named
email
.
If a URL is required, use:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Set the Name ID to a stable, case-sensitive identifier (email recommended).
Assign users
Grant access to users who will sign in via SSO.
They must still be invited to the Atlar organization.
Step 2: Share IdP metadata with Atlar
Provide Atlar with:
- The metadata XML file or a metadata URL for the SAML app (URL preferred).
- The allowed email domains for your organization.
- The attribute name used for email addresses.
Atlar will configure the identity provider and generate a unique SSO login URL.
Step 3: Test SSO login
Atlar will provide the SSO login URL for testing.
During testing, password login remains available.
Step 4: Enable SSO
Once testing is complete, request Atlar to fully enable SSO.
This step requires Owner approval.
After activation, all users must log in using SSO.
Updating IdP metadata
- Atlar tracks the expiry of your response signing certificate and will notify you when it needs replacement.
- If you provided a metadata URL, Atlar automatically refreshes metadata at regular intervals.
- During certificate rotation, configure your IdP to publish both old and new certificates for at least 6 hours.
Troubleshooting
Use an incognito browser window when testing changes to avoid caching issues.
Google Workspace
If you see a Google error page, refer to
SAML app error messages.
Common issues:
Error: app_not_enabled_for_user
– The user has not been granted access to the SAML app.
Provider-specific guides
- AWS IAM Identity Center
Set up SAML 2.0 application • Application start URL - Google Workspace
Custom SAML app setup - JumpCloud
Custom SAML application connectors - Microsoft Entra ID
Enable SSO for an enterprise app - Okta
Create SAML app integrations • Bookmark App for IdP flow - OneLogin
Configure SAML SSO • Advanced SAML Connector
Updated about 11 hours ago