Single Sign-On (SSO)

Single Sign-On (SSO)

💡

Centralize user authentication with your own identity provider
Single Sign-On (SSO) allows users to access Atlar through a single login managed by your identity provider.
Atlar supports SAML 2.0 to give you full control over security policies and user access.


How SSO works

  1. Users log in to Atlar using a unique SSO login URL for your organization.
    This URL can be found under My Account → Your Organizations.
  2. When users open the SSO login URL, they are redirected to your identity provider for authentication.
    • If they are already logged in, no action is needed.
    • If not, they are prompted to enter their credentials.
  3. After authentication, Atlar verifies membership and logs users in automatically.
    • If they are not yet members, they must first be invited to the organization.

Things to know about SSO

  • Once SSO is enabled, users cannot log in with passwords.
  • Users must still be invited to the organization with a designated role.
  • Changing a user’s email requires a new invitation.
  • Only email addresses matching your allowed domains can log in.
  • Users must be assigned to the identity provider’s SAML application for Atlar.
  • Users can only log in using the SSO login URL (SP-initiated SSO).
    IdP-initiated SSO is not supported, but most providers allow storing the SSO URL in their portal.
  • API integrations are unaffected and continue using the existing authentication methods.

Setting up SSO

To enable SSO, Atlar must configure your identity provider.
The process varies depending on your provider.

Step 1: Create a custom SAML application

Log in to your identity provider and create a new custom SAML app, naming it “Atlar”.
Upload a logo if supported:

  • Square black logo: PNG, SVG
  • All assets: ZIP

Add Atlar service provider details

FieldValue
Assertion Consumer Service (ACS) URLhttps://cognito.production.atlar.com/saml2/idpresponse
Service Provider (SP) Entity IDurn:amazon:cognito:sp:eu-central-1_8USGTETUo
  • Sometimes ACS is called Single Sign-On URL or Reply URL.
    Use it also for Destination URL and Recipient URL if possible.
  • Enable SP-initiated SSO and Redirect Binding if supported.

Security options (optional)

Atlar can enable:

  • Signed SAML requests – Atlar signs requests to your IdP.
  • Encrypted SAML assertions – Your IdP encrypts all SAML assertions with a public key provided by Atlar.

Atlar will supply signing and encryption certificates if needed.

Attribute mapping

  • Map the user’s primary email to an attribute named email.
    If a URL is required, use:
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • Set the Name ID to a stable, case-sensitive identifier (email recommended).

Assign users

Grant access to users who will sign in via SSO.
They must still be invited to the Atlar organization.

Step 2: Share IdP metadata with Atlar

Provide Atlar with:

  • The metadata XML file or a metadata URL for the SAML app (URL preferred).
  • The allowed email domains for your organization.
  • The attribute name used for email addresses.

Atlar will configure the identity provider and generate a unique SSO login URL.

Step 3: Test SSO login

Atlar will provide the SSO login URL for testing.
During testing, password login remains available.

Step 4: Enable SSO

Once testing is complete, request Atlar to fully enable SSO.
This step requires Owner approval.
After activation, all users must log in using SSO.


Updating IdP metadata

  • Atlar tracks the expiry of your response signing certificate and will notify you when it needs replacement.
  • If you provided a metadata URL, Atlar automatically refreshes metadata at regular intervals.
  • During certificate rotation, configure your IdP to publish both old and new certificates for at least 6 hours.

Troubleshooting

Use an incognito browser window when testing changes to avoid caching issues.

Google Workspace

If you see a Google error page, refer to
SAML app error messages.

Common issues:

  • Error: app_not_enabled_for_user – The user has not been granted access to the SAML app.

Provider-specific guides