Skip to main content

Celonis Product Documentation

Configuring SAML single sign-on

Your users can access your EMS using their existing login credentials by configuring SAML SSO for your team. This process establishes a trust relationship between the Celonis EMS and your existing identity provider (IdP), authenticating the user when they login to the EMS.

Your EMS team environment supports SAML 2.0 with the SHA-256 hash algorithm. It doesn't support SAML logout functionality or identity provider initiated flows, however.

When configuring your SAML SSO, you must select your preferred certificate management method (step 4). For more information about your options here, see Certificate management for SAML SSO

When configuring your external identity provider, see: External identity provider configuration

Procedure

To configure and activate your SAML SSO:

  1. Click Admin & Settings - Single Sign-On.

  2. Click SAML - Configure.

     

  3. Configure your general settings, including a name and provider name.

    You can also configure the following options here:

    Maximum Authentication Life Time: This enables you to control how long the user remains signed in (minutes) , with the default set to 480 mins (8 hours). After this time, the user must sign-in again with their identity provider to regain access to your EMS.

    If this option is disabled, the maximum period allowed by the EMS is 10 years. Typically this means that the timeout period is defined and configured on your identity provider.

    Allow bypassing via login form: Enabling this option allows users who are outside of your identity provider to still access your team with their email address and password. This feature is beneficial when working on implementation projects or when adding the user to your identity provider is not possible. You can also enable this option if you need to give a member of the Celonis Support team access to your environment to problem solve.

    A screenshot showing the general settings area when configuring a SAML sso configuration.

  4. Select your certificate type (uploading a user-provided certificate if necessary).

    See: Certificate management for SAML single sign-on

    A screenshot showing the certificate management area of SAML SSO configuration.

  5. Upload your identity provider's metadata. The metadata is an XML file representing the configuration of your SSO and should be available for download in the SSO’s admin interface.

    You can also use the following features here:

    Download SP Metadata: The service provider (SP) metadata file allows for quick configuration on the identity provider and is available once you have uploaded your identity provider metadata file.

    Enable SP Metadata Access via Public URL: This gives you access to a link that reduces the manual effort involved when certificate changes are needed. Depending on your identity provider, this link can enable you to automatically update the certificate when required and without accessing the EMS to do so.

    A screenshot showing how to upload metadata when configuring your SAML SSO.

  6. Click Save.

  7. When prompted, either click Activate or choose to activate your configuration later.

    Your SAML SSO is now active, with all active users at that point being automatically logged out of your EMS They’ll need to re-authenticate to regain access.

External identity provider configuration

Note

The following external identity providers have been successfully configured with Celonis: Microsoft Azure, Okta, OneLogin, ADFS, and JumpCloud. For detailed instructions on how to configure these providers, refer to their documentation.

When configuring your SAML SSO on your external identity provider, the following fields information may be needed:

Relying Party Trust Identifier (entityID)

Use the following format: <team>.<realm>.celonis.com

For example, testcompany.eu-1.celonis.cloud

Relying Party Identity Provider Endpoint

The login type should be: SAML Assertion Consumer.

And the endpoint should be provided in this format: https://<team>.<realm>.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client

For example: https://testcompany.eu-1.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client

Login URL

As your SAML SSO configuration can't be tested within your EMS, you should use the following URL format to access your EMS:

https://<team>.<realm>.celonis.cloud/ui/login

For example: https://testcompany.eu1.celonis.cloud/ui/login

EMS signed authentication requests

To enable your EMS to sign authentication requests sent to your identity provider you must set your WantAuthnRequestsSigned attribute to 'true'.

For example:

<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">