Single Sign-On (SSO)
Security Assertion Markup Language 2.0 (SAML) is a federation standard allowing an Identity Provider (IdP) to authenticate users and provide information to a Service Provider (SP).
In addition to username and password login, Carium supports Single Sign-On (SSO) through SAML for providers. Customers may register their IdP and have employees log in through common corporate credentials. This allows IT departments to manage user access centrally and enforce security policies, like multi-factor authentication, at the corporate level.
To further delegate security configuration to customers, Carium may be configured to disallow username and password logins, requiring all users to sign in through SSO.
The IdP is any system supporting SAML 2.0, such as Okta, Active Directory, or Google Workspace.
Setup
To set up SSO, you will need to first provision Carium in your IdP and then contact Carium to enable the feature.
Suggested Configuration
Carium suggests the following configuration for your IdP:
- Sign SAML Response: Yes
- Entity ID:
https://api.carium.com/identity/v1/saml-acs/<your-org-name>/acs/(Exact ID Provided by Carium) - Name ID Format:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified(Typically Email).
Required Claims
| Claim | Description |
|---|---|
email | The email address of the user. |
firstName | The first name of the user. |
lastName | The last name of the user. |
Integrating with Carium
After provisioning Carium in your IdP, you will need to provide Carium with the following information:
- IdP Metadata URL: The URL to the IdP metadata file. You may need to provision Carium in your IdP to get this URL. See the suggested configuration below.
- Email Domain: The domain of the email addresses that are allowed to sign in through SSO. This is used to restrict SSO to only users with email addresses from the specified domain.
- Additional Organizations (Optional). Customers typically have multiple organizations in Carium (for example, a sandbox organization). Multiple organizations can be configured to use the same IdP. Provide the additional organization names to Carium.
Please contact your Carium representative to provide this information.
User Flows
Carium supports both SP and IdP initiated login flows.
SP IdP Initiated Login
The user starts the login process from Carium. Carium redirects the user to the IdP for authentication.
When the user enters their email address into the Carium login page, the login box will transform into a federated login form and Carium will redirect the user to the IdP login page.
IdP Initiated Login
The user starts the login flow at the IdP. Typically, this may present as an "application portal" such as Okta.
In this flow, the user goes directly from their corporate portal to being logged in to Carium.
Account Creation
When the IdP sends Carium a successful SAML response, Carium will create an account for the user if one doesn't already exist. The new user doesn't have any permissions until they're assigned to a role.