Configuring SAML single sign-on
Your users can access your EMS using their existing login credentials by configuring SAML SSO for your team. This process establishes a trust relationship between the Celonis EMS and your existing identity provider (IdP), authenticating the user when they login to the EMS.
Your EMS team environment supports SAML 2.0 with the SHA-256 hash algorithm. It doesn't support SAML logout functionality or identity provider initiated flows, however.
When configuring your SAML SSO, you must select your preferred certificate management method (step 4). For more information about your options here, see Certificate management for SAML SSO
When configuring your external identity provider, see: External identity provider configuration
Procedure
To configure and activate your SAML SSO:
Click Admin & Settings - Single Sign-On.
Click SAML - Configure.
Configure your general settings, including a name and provider name.
You can also configure the following options here:
Maximum Authentication Life Time: This enables you to control how long the user remains signed in (minutes) , with the default set to 480 mins (8 hours). After this time, the user must sign-in again with their identity provider to regain access to your EMS.
If this option is disabled, the maximum period allowed by the EMS is 10 years. Typically this means that the timeout period is defined and configured on your identity provider.
Allow bypassing via login form: Enabling this option allows users who are outside of your identity provider to still access your team with their email address and password. This feature is beneficial when working on implementation projects or when adding the user to your identity provider is not possible. You can also enable this option if you need to give a member of the Celonis Support team access to your environment to problem solve.
Select your certificate type (uploading a user-provided certificate if necessary).
See: Certificate management for SAML single sign-on
Upload your identity provider's metadata. The metadata is an XML file representing the configuration of your SSO and should be available for download in the SSO’s admin interface.
You can also use the following features here:
Download SP Metadata: The service provider (SP) metadata file allows for quick configuration on the identity provider and is available once you have uploaded your identity provider metadata file.
Enable SP Metadata Access via Public URL: This gives you access to a link that reduces the manual effort involved when certificate changes are needed. Depending on your identity provider, this link can enable you to automatically update the certificate when required and without accessing the EMS to do so.
Click Save.
When prompted, either click Activate or choose to activate your configuration later.
Your SAML SSO is now active, with all active users at that point being automatically logged out of your EMS They’ll need to re-authenticate to regain access.
External identity provider configuration
Note
The following external identity providers have been successfully configured with Celonis: Microsoft Azure, Okta, OneLogin, ADFS, and JumpCloud. For detailed instructions on how to configure these providers, refer to their documentation.
When configuring your SAML SSO on your external identity provider, the following fields information may be needed:
Relying Party Trust Identifier (entityID)
Use the following format: <team>.<realm>.celonis.com
For example, testcompany.eu-1.celonis.cloud
Relying Party Identity Provider Endpoint
The login type should be: SAML Assertion Consumer.
And the endpoint should be provided in this format: https://<team>.<realm>.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client
For example: https://testcompany.eu-1.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client
Login URL
As your SAML SSO configuration can't be tested within your EMS, you should use the following URL format to access your EMS:
https://<team>.<realm>.celonis.cloud/ui/login
For example: https://testcompany.eu1.celonis.cloud/ui/login
EMS signed authentication requests
To enable your EMS to sign authentication requests sent to your identity provider you must set your WantAuthnRequestsSigned attribute to 'true'.
For example:
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">