Security recommendations
Your team security and user provisioning settings may vary depending on your team size. Before setting up your team, we therefore recommend that you choose a coupling approach and relevant settings.
Tight coupling of SSO and user management
With tight coupling, dynamic user sync is added with the identity provider. Any changes to individual accounts and optionally also their groups are reflected in the Celonis Platform upon sign-in. This coupling applies to larger organizations with a greater need for user governance.
In this case, as it is large scale, identity providers should provide groups to which the administrator assigns permissions in the Celonis Platform . If no groups are available, the administrator must add users manually to Celonis Platform groups.
Tight coupling can be done via SCIM API or SAML Just-in-Time (JIT), with SCIM our recommendation.
Tight coupling differs from light coupling because:
It provides dynamic user syncing. This means that users created in your identity provider will be automatically created in your Celonis Platform . There is no need to manually send invitations.
It provisions and updates groups.
It allows users to directly login without an admin invitation.
Light coupling of SSO and user management
Light coupling is recommended for teams that have outgrown manual user maintenance but do not yet require full dynamic synchronization. This approach utilizes SAML or OIDC SSO to automate the initial creation of user profiles—such as names and email addresses—within the Celonis Platform upon their first login. While it simplifies the onboarding process through a one-time SSO setup, it is characterized by the absence of a continuous, dynamic sync between your identity provider and the platform.
We recommend the following:
Centralized identity management
Unlike traditional local logins that are tied to a single "team" (environment), Celonis ID acts as a global profile.
One account, multiple Teams: A user can use a single set of credentials to access multiple Celonis teams.
Seamless switching: When logged in via Celonis ID, users can switch between different teams without re-authenticating, provided they have been invited to those teams.
Personal profile: Users manage their own profile details—such as profile picture, language preferences, and time zones—in one central location that persists across the platform.
Mandatory security (2FA)
A core functional pillar of Celonis ID is the enforcement of Two-Factor Authentication (2FA). Because it is the default "cloud-native" login, Celonis mandates an extra layer of security:
Initial setup: When first signing in, users are required to set up 2FA.
Verification methods: Users can choose to receive their 2FA codes via email or a supported authenticator app (like Google or Microsoft Authenticator).
Triggering events: The system typically prompts for a 2FA token when a user logs in from a new device, a new browser, or if their session has expired (usually after 30 days of inactivity).
Password requirements
Celonis ID enforces a strict password policy to ensure account integrity:
Minimum of 8 characters.
Requirement of at least one character from four categories: Uppercase, Lowercase, Numbers, and Special Characters.
Relationship with SSO
It is important to distinguish Celonis ID from Single Sign-On (SSO):
The "Fall-Back" role: If a company configures SAML or OIDC (SSO), Celonis ID usually becomes a secondary method. Admins often keep it enabled as a "bypass" option to prevent lockouts if the SSO provider goes down.
Co-existence: You can have some users (like external consultants) logging in via Celonis ID while internal employees use the company’s SSO.
Feature | Celonis ID (Default) | Single Sign-On (SAML/OIDC/SCIM) |
|---|---|---|
Credential source | Managed by Celonis | Managed by your company (IdP) |
Maintenance | User-managed passwords | IT-managed (Active Directory) |
Multi-team | One ID for all Celonis teams | Restricted to specific team setup. |
2FA | Handled by Celonis | Handled by your IdP |
When your team size is too large for manual invitations and maintenance, we recommend that you use either SAML SSO or OIDC SSO. In this case, you have the one-time effort of setting up SSO. With that, when users respond to an invite and log in for the first time, identity information - i.e. first name, last name, email - is added in the Celonis Platform. This is light coupling as there is no dynamic sync between the identity provider and the Celonis Platform.