Overview

You can use Single Sign-On (SSO) to access your CleverTap dashboard. You must use an Identity Provider (IdP) or a custom SAML (Security Assertion Markup Language) implementation to use SSO with CleverTap. Note that you must be an account admin to set up an SSO.

📘
Key Benefits of New SSO Configuration
The migration steps for existing SSO customers moving to a new SAML SSO setup are the same as setting up the SSO configuration for the first time.
Listed below are the key benefits of the new SAML SSO setup:

Streamlined SSO configuration process without needing Account-Role Mapping on IdP.

Flexibility to manage users entirely on the CleverTap dashboard or by sending account lists through IdP and managing roles on the dashboard.

Enhanced security and simplified login experience for your team through email domain whitelisting.

Set Up SSO Configuration

The SSO Configuration process includes the following two steps:

Set Up SSO configuration on CleverTap

To set up the SSO configuration on the CleverTap dashboard:

Navigate to Organization > SSO from the CleverTap dashboard.
Click Create SAML Connection.

The Create SAML Connection window opens on the right side of the screen after you click Create SAML Connection, as shown in the following figure:

Enter the following details:
- Sign-in URL
- Organization name
- IDP Signing certificate (You can either paste the certificate details or upload the .CER file)
- SAML Eligible Email Domains
  In order to claim ownership of a domain, it is necessary for the organization to have at least one active user associated with that particular domain.
Click Create.

📘
Note

After you configure Sign-in URL and IDP Signing certificate, these details are available from your respective identity providers. For more information about IdP configuration, refer Okta, OneLogin, Azure and Gsuite.

CleverTap recommends avoiding a word processor for copy-pasting sensitive values like certificates; instead, you can use an IDE or terminal.

After creating the SAML connection successfully, SAML Service Provider details are displayed on the page, as shown in the following figure:

Navigate to your respective IdP sections in the document and complete the steps mentioned to configure the connection.

📘
Configuration Updates
The following are the updates related to CleverTap's SSO configurations process:

The IdP metadata XML is not accepted as a configuration parameter anymore.

The domain discovery now recognizes email domains. It means you can now log in through an IdP using a specific email address (for example, [email protected]) instead of organization names (for example, CleverTap). All users must provide their email addresses, and the system automatically determines if they use SAML or basic authentication.

All users must provide an email address on the new login page (the old login page still accepts the organization names).

CleverTap strongly recommends adding your email domains rather than public ones or other organizations. If you encounter errors during configuration, it may be because the email domain is public (for example, gmail.com, outlook.com) or already claimed by another organization. Contact our support team if you encounter an issue and want to claim an email domain.

Configure CleverTap Application on your IdP

To configure CleverTap on your IdP, you must map the attributes. The following are the two methods for attribute mapping:

Based on the selected attribute mapping logic and your IdP, map the attributes as illustrated for specific IdPs:

Identity Service Provider

Identity Provider (IdP) is an authority that verifies and asserts a user's identity and access to a requested resource (the "Service Provider"). Some examples of IdPs are Okta, GSuite, and so on.

Attribute Mapping Logic for IdPs

You can set up your IdP attributes in the following two ways:

Add a List of Names and Emails Only (Recommended)

Users onboarded before SAML SSO activation can continue to access their previous accounts. Users onboarded through SAML SSO for the first time are redirected to the no-access page and cannot access any accounts.

The user is onboarded to new accounts by sending an invitation to any account. Inviting a SAML user to an account may not send an email invite; instead, directly grant them access. However, the user needs to log out and then log in to view the new account assignments.

There are no organization-based checks in this method, as the provision of access is still in the hands of the admin of the target account.

Send a List of attributes Along With accountList and an Array of accountIds

In this case, the user can only access the accounts mentioned in the accountList attribute. The invitation flow does not work for gaining access to any account. The account must be added to the accountList. An additional check is performed on the accounts present in the accountList to validate if they belong to a family of accounts for which the current SAML SSO connection is configured. For example, if a connection is made for customer A and tries to pass the account Ids of customer B, they would be blocked.

The optional attribute accountList must be added in the following manner:
accountList : ["1000000001", "1000000002", "1000000003"].

🚧
Note

If the user has access to any other account on the system apart from the ones present in the accountList, they would lose access to those accounts.

You must connect all your accounts to a parent account for which the SSO configuration is created.

Configure IDPs

This section illustrates how to set up access for the following IDPs:

📘
Note
You can configure any IdP that supports SAML SSO, following the recommended approach.

Okta Setup

This section provides information about the Okta setup. The process involves the following major steps:

Create an Application

Start the setup by creating a CleverTap app in your IdP setup. All IdPs allow you to create an app you want to access using SSO. Consider the following example of setting up an app with Okta:

Navigate to your Okta admin dashboard.
Select Applications from the left navigation and click Create App Integration.

After the Sign-in method box appears, select SAML 2.0.

Enter your application details as shown in the image below and click Next:

Add the Single sign-on URL and Audience URI(Entity ID) values. (You can find these credentials on the Create SAML connection page of the CleverTap dashboard).

Map Attributes

In continuation of the above configuration, ensure that the correct values are passed to CleverTap. To do so, you must map the attributes:

Add three attributes - name, email  and accountList appropriately, and map the attributes accordingly as shown in the image below:

📘
Note
If you proceed further with the recommended method, add only two attributes - name, email  in the attribute mapping section appropriately. You need not add any custom attributes and hence you must skip step 2.

For the accountList attribute, you must create a custom attribute:

i. Navigate to Directory > Profile editor > Select your application (CleverTap).
ii. Click + Add Attributes.

iii. Define all the attribute values for accountList.

iv. Click Save

Assign CleverTap Application to User

To assign your CleverTap application to users:

Navigate to Applications > Select your application.
Select Assign to People from the Assign dropdown.

1356 — Assigning an Applications to Users

Select the user you want to assign and click Assign

Ensure that the accountList value is populated against the accountList attribute in the dropdown.

Click Save and Go Back and then click Done.

To find the credentials for setting up SAML connection on the CleverTap dashboard:

Navigate to Applications > Sign on
Click View SAML Setup instruction available at the bottom right of the page. You can find the credentials as shown in the following figure:

Use these credentials to create a SAML connection on the CleverTap dashboard.