Skip to main content

Celonis Product Documentation

Single Sign-On (SSO)

  • SSO is a property of multiple related, yet independent software systems.

  • It is the authentication part of a federated identity system.

  • It establishes the identity of the user and then shares this information with each subsystem that requires the data.

Login Options for Celonis EMS

Team admins can configure different ways how the users of their team can log in to their Celonis team. Either Celonis Login or Single Sign-On can be used.

Single Sign-On (SSO) lets users access EMS with credentials they use for other services and resources as well.

  • Celonis Login

    • If you activate "Celonis Login" for your team, the login credentials of Celonis Intelligent Business Cloud will be used for accessing your EMS Team.

  • Security Assertion Markup Language (SAML)

    • Federated authentication using Security Assertion Markup Language (SAML) enables you to send authentication data between affiliated but unrelated web services. You can log in to Celonis Intelligent Business Cloud from a client app using your familiar credentials.

    • You can find more information on how to set up here.

  • OpenID Connect (OIDC)

    • OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications.

    • You can find more information on how to set up here.


Users that authenticate via SSO will still need to have an account on the EMS team. If you plan to have a large number of users on the team and synchronize those with your Active Directory, make use of the ability to sync users.

Scenarios

You can have members sign into a team via three scenarios. The EMS always requires a user account for team members, which is why we sketched three scenarios here to choose from. Each scenario makes sense depending on the number of users that should be managed on the team. They are presented in descending order of team size:

Scenario 1: There is tight coupling to the AD. Users can only log in via SSO. If a user is removed from AD, he is also removed from the team.

Implementation: Set up SSO. Then set up a continuous user sync.

Scenario 2: The app utilizes the SSO for login convenience, but user management is not coupled to the AD.

Implementation: Only set up SSO.

Scenario 3: No coupling between existing AD and new users in the application.

Implementation: Simply use the default Celonis Login.

Benefits of Single Sign-On

Here are some of the reasons why the setup of an SSO connection makes sense for many of our customers:

  • Reduced administrative costs

    Fewer passwords to manage; system admins receive fewer requests to reset forgotten passwords.

  • Time savings & better usability for users

    Mis-typed passwords, etc.

  • Increased security

    All password policies of the customer are also in effect.

  • Leverage existing investment

    Many companies use a central LDAP database to manage their users. When a user is removed from the LDAP system, they can no longer access their Celonis account when authentication is delegated.

Bypassing Single Sign-on

You can allow members of a team to log in with a password instead of their SSO credentials. You might need to do this if you work with implementation partners outside your organization, or when single sign-on is temporarily unavailable, for example during certificate updates.

To allow members of a team to log in with a password, check the box “Allow bypassing via IBC login form” for the SAML or OIDC provider in the Single Sign-On settings page in Team Settings, and save the new settings. Then any team member who has a password can log in using it.

If the reason why you allowed users to bypass SSO comes to an end - for example, you are no longer working with the external users, or SSO is available again - be sure to uncheck the box again in Team Settings.