Single Sign On (SSO)

Overview

You can use Single Sign-On (SSO) to access your CleverTap dashboard. You must be on a CleverTap for Enterprises plan and use an identity provider or a custom SAML implementation in order to use SSO with CleverTap.

πŸ“˜

Account Admin User

You need to be an account admin to set up an SSO.

Set Up SSO Configuration on CleverTap

25322532

Access Setup Page

As an admin user, from the CleverTap dashboard, navigate to Organization > SSO. You will be directed to the SSO setup page.

Configure SAML

To configure SAML, perform the following steps:

  1. Copy the entity ID and Assertion Consumer service URL from the CleverTap and paste it in the IdP in Audience URI and Single sign-on URL respectively as shown below.
19991999
  1. Validate the Signature hash algorithm and binding to ensure they are the same in the Idp.
  • Signature Hash Algorithm: SHA-256
  • Binding: HTTP POST
  1. Provide XML metadata to CleverTap. You can copy the XML MetaData and paste it or upload the file.

CleverTap supports dynamic configuration which requires you to enter the IdP MetaData. This IdP MetaData is provided by your identity provider and will look similar to the screenshot shown below in XML format.

19991999

This IdP MetaData is provided by your identity provider and will look similar to the screenshot shown below in XML format.

19991999
  1. Set your unique domain URL.
    A CleverTap domain, unique to your CleverTap application needs to be provided so that it can be used to authenticate your CleverTap account.

πŸ“˜

Name Selection

Please use an easy name to remember as this will be used by your team to log in to the CleverTap account.

19991999

This completes your basic setup of SAML SSO. You can test the SSO setup from the CleverTap dashboard to be sure if the setup is done correctly.

Additional Settings

This section covers additional settings.

Login with SSO only

Under the Settings > SSO, you can find the setting Require all users to login using SSO.

13301330

If you select this option, your team members will not be able to log in to CleverTap directly. They will be forced to log in via the SSO option only.

🚧

Authentication Settings Considerations

Use this option if your entire team has your domain email id and is set up on your IdP.

If you have outsourced teams who do not have an email address in your domain, do not select this option as they will not be able to log in to CleverTap.

If you select this option, you will not be able to create a user from the CleverTap dashboard or assign a role to the user, this will have to manage via the Identity Provider.

Bind Existing Users

Some things to consider:

  • If you already have a user setup on CleverTap and want to migrate them to SSO along with their CleverTap roles and account access, select this option.
  • This gives you the option to download the users list by copying these user settings and paste them in the custom attributes in your IdP (More on how to set up custom attributes is given below).
  • This ensures that all users who are currently on CleverTap’s authentication and authorization will be seamlessly migrated to the IdPs authentication and authorization.
14601460 912912

πŸ“˜

IdP Setup

Below, you will be able to see how to set up access for the following IdPs:

  1. Okta
  2. OneLogin
  3. Azure
  4. Gsuite

Other IdPs follow similar instructions.

Identity Provider Set Up

Identity Provider (IdP) is the authority that verifies and asserts a user's identity and access to a requested resource (the "Service Provider").

Some examples of IdPs are Okta and GSuite.

Okta Setup

This section covers the Okta setup.

Create an Application

All IdPs allow you to create an app that you want to access using SSO. Start the setup by creating a CleverTap app in your IdP setup.

The example below is for setting up an app with Okta.

Under Platform, select Web and under Sign on method, select SAML 2.0.

16041604 19991999

Validate Settings

Validate the Signature hash algorithm and binding to ensure they are the same in the IdP:

  • Signature Hash Algorithm: SHA-256
  • Binding: HTTP POST
15081508

Attribute Mapping

You have to add some attributes for SSO to work. Attributes for name and email are compulsory in the format given in the screenshot. You need to add an attribute for each accountid you have in CleverTap.

You can then select for each account what role you want to give the users access to at a granular level.

Navigate to Applications > Select your application > General > Configure SAML.

The following attributes are mandatory.

14401440

Now if you have two accounts on Clevertap, you need to add the two AcccountId's in the following way:
You can name them as appuser.[Identifier}. As examples, we have used appuser.MainAccRole and appuser.MaiAccRole1.

This tells CleverTap which account a user should have access to. Click on Next and Finish to complete the process.

14401440

Assign User Roles

Now, we need to define what role the user shoud have for each account.

  1. Navigate to Directory > Profile Editor.
  2. Hover on your app and select Profile.
  3. Add and define what you want to call these attributes and what roles these attributes can get.
  4. Click on Add attribute.
  5. Name the Variable as "Your Account Name" to ensure that when assigning a name you can understand what account you are assigning the user to.
  6. Ensure you add the Name in Variable as you did earlier for AccountID as MainAccRole and MainAccRole1 from our previous examples above.
  7. Click the checkbox for an enumerated list and add all combinations of roles that you can possibly want to assign your user (you can get these combinations from the SSO Settings in the CleverTap dashboard as a CSV and copy-paste.

πŸ“˜

No Access

It is important that you always add an attribute member "NoAccess" and provide it with an empty "{}", so that you can select this value when you do not want to give the user access to this account.

  1. Click Save.
14441444

To ensure the correct values are passed to CleverTap, map the attributes correct by performing the following steps:

  1. Navigate to Directory > Profile Editor.
  2. Click on Profile (For your App) > Mappings.
21222122

Now, you need to assign users to your application:

  1. Navigate to Applications > Select your application > Assignments.
  2. Select the user and what role you want to give to the user for each account. If you do not want to give the user access to the account, select noaccess.
  3. Click Save.
13921392

IdP Metadata

  • Navigate to Applications > Select your application > Sign On
  • Click on View Setup Instruction and from the optional section copy the IDP metadata.
719719 10581058

This is the XML Metadata that you need to upload from the CleverTap dashboard by navigating to Settings > SSO Settings > Upload XML Metadata.

OneLogin Setup

This section will cover the Onelogin setup.

Create an Application

  1. From the Applications tab, select Applications from the menu bar.
14741474
  1. Click Add App.
  2. Search for SAML Custom Connector (Advance) in the search bar.
15661566
  1. Select SAML Custom Connector (Advance) and give *Display Name.
832832
  1. Click Save.

Application configuration

  1. Navigate to the Configuration section and enter the ACS (Consumer) URL and Audience (EntityID).
26142614

πŸ“˜

Note

You’ll find the ACS (Consumer) URL and Audience (EntityID) by navigating to Organizations -> SSO in the CleverTap dashboard.

Attribute Mapping

You have to add some attributes for SSO to work. Name and email are mandatory attributes. You need to add an attribute for each accountID you have in CleverTap.
You can then select for each account what role you want to give the users access to at a granular level.

You can then select the type of role you want to assign to your users.

  1. Navigate to the Parameter section and click the β€˜+’ sign to add new fields and also ensure that the Configured by admin button is selected.
18481848
  1. Add Name and Email fields and ensure that Include in SAML assertion checkbox is selected. Now, click Save.

  2. Add value as FirstName and Email for Name and Email respectively and Save.

568568 570570
  1. For each account you have in CleverTap, you should add the AccountID as name, and in the value dropdown select Macro and then add value attribute, here we have two accounts Account-1 and Account-2.

This tells CleverTap which account a user should have access to.

570570 13451345
  1. Navigate to the SSO section and select SHA-256 from the SAML Signature Algorithm drop-down list and click Save.

Assign User Roles

  1. Navigate to Users (from the top menu) > Users and select the user you want to give access to. On selecting a specific user, the user profile is displayed.
17531753
  1. Navigate to Applications and add the app which we have created by clicking on the plus sign.
  1. Define the role for each account for this user by clicking on the app (we have Test).
  • Take the role map JSON that is available in the CSV download (Dashboard > Settings > SSO) for the user-account combination and paste it into the respective attributes for each account.

πŸ“˜

Restricting Access

If you do not want to give a user access to the account, define an empty JSON { } that indicates that the user has no access to this account. Refer to the image below for a better understanding.

643643
  • Save the user.

IdP Metadata

Navigate to Applications-> Applications then select your app go to More Actions dropdown and click SAML metadata.

This will download an XML metadata file that you need to upload to the CleverTap dashboard by navigating to Organizations -> SSO -> Upload XML metadata

Azure Setup

This section will cover the Azure setup.

Creating an Application

  1. Start the setup by signing up and creating a CleverTap app on the Azure Portal
  2. From the left navigation panel, select Azure Active Directory.
17341734
  1. Select Enterprise applications from the Azure Active Directory pane.
  2. Click + Add > Enterprise application
18901890
  1. Enter the name of the application > Select the Non-gallery application option as shown in the image below and click on the "Add "button.
28162816
  1. Further, navigate to Setup Single sign-on.
22822282
  1. The next screen presents the options for configuring single sign-on. Click on SAML.
28642864
  1. Now, click the Edit option available next to Basic SAML configuration
17941794
  1. For Basic SAML configuration you need to get the Entity ID and Assertion Consumer Service URL from CleverTap dashboard.
  2. To get these credentials, navigate to CleverTap dashboard > Organization > SSO. Copy the Entity ID and Assertion Consumer Service URL.
  3. Paste the respective values into the SAML configuration section as shown in the screenshot below and click Save.
25002500

Attribute Mapping

Navigate to the Attributes & Claims section under the Attributes tab.

15581558

Add the following attributes for the SSO to work:

  • Name and email attributes are mandatory.

  • You need to add an attribute for each Account ID you have in CleverTap. This allows you to assign the appropriate role for each account. For example, if you have two Accounts in Clevertap, you need to add both the Account Ids in the following way:

  • You can name them as user.attribute1 and user.attribute2. Here, we have used user.jobtitle as an example. This helps indicate the account to which the user should have access.

Assign User Roles

πŸ“˜

Note

As a security measure, Azure AD does not issue a token to the user unless it grants access to the user.

  1. Click User and groups from the left navigation of the application. A list of already existing users/groups will be displayed.
28482848
  1. Click +Add user and Assign the respective User and groups to the application using the options available at the top of the screen.
28722872
  1. Select the appropriate user and click Select button.
  2. Further, click the Assign button to assign that user or group to the SAML application.
  3. You can explicitly edit the attributes or add roles that you want to assign to the users by selecting the specific user profiles. You can also find t
  4. To map the existing user's data with Azure IdP, select the Bind user's data with your IDP option available in the CleverTap dashboard (navigate to Organization > SSO > select the Bind user's data with your IDP checkbox). Click the Download Users and Roles link to download the CSV file containing user data.
12301230

IdP Metadata

  1. Download the Federation Metadata XML file available under SAML Signing Certificate section.
16081608
  1. Navigate to CleverTap Dashboard > Organization > SSO and upload the CSV file under MetaData XML as shown below:
15781578
  1. Once done, set a domain URL unique to your CleverTap application so that it can be used to authenticate your CleverTap account.

🚧

Note

Use a name that is easy to remember as this will be used by your team to log in to the CleverTap account.

  1. Click Test SSO button and if the configuration is properly done, then you will get the following response:
648648

GSuite Setup

Log in to https://admin.google.com/ and login as Admin for your app.

Attributes

Navigate to Users > Click on More > Manage Custom Attributes > Add Custom Attributes.

  1. You can give a category and description as per your naming policies, a recommendation is that names should be such that you can identify these custom attributes are for your CleverTap SSO setup.
  2. For each account you have with CleverTap, create an equivalent entry here with the name of your account. For example, our app has two accounts and the account names are Account_1 and Account_2.
  3. Ensure these attributes are set to Single value.
  4. Click Save.
27982798

Create an SAML App

To create an SAML app, perform the following steps:

  1. Navigate to Apps > SAML Apps.
  2. Click on the + sign to create your new CleverTap SAML App.
  3. Add the ACS URL and Entity ID.
  4. Select the checkbox for Signed Response.
  5. Name ID as Basic Information and Primary Email and Name ID format as Email.

πŸ“˜

Signed Response

Ensure the checkbox for Signed Response is selected before proceeding.

17401740

Attribute Mapping

To map attributes, perform the following steps:

  1. Name and email mapping as depicted in the screenshot are compulsory.
  2. For each account you have in CleverTap, you should add the AccountID and select the respective attribute created for this account in the previous step when you created Attributes.
  3. Click Save.

πŸ“˜

AccountID

Admins can find all AccountID's in the CleverTap dashboard under Settings > Account.

17781778

Assign to Users and Roles

To assign to user and roles, perform the following steps:

  1. Navigate to Apps > SAML Apps.
  2. Turn the app ON for everyone.
28802880
  1. Navigate to Users and click on a user you want to give access to. You need to navigate to Custom Attributes and define the role for each account for this user.
  2. Take the roleMap JSON that is available in the CSV download (Dashboard > Settings > SSO) for the user-account combination and paste it into the respective attributes for each account.
  3. If you do not want to give user access to the account, define an empty JSON { } which indicates that the user has no access for this account.

πŸ“˜

Restrict User Access

If you do want to give users access to an account, you need to define an empty JSON which just empty curly braces such as { }.

21642164

IdP Metadata

Now that the setup is done, under Service Provider Details:

  1. Click Manage Certificates.
  2. Download the IdP Metadata.

This is the XML Metadata file that you need to upload from the CleverTap dashboard by navigating to Settings > SSO Settings > Upload XML Metadata.

17781778

Sign In Using SSO

Once you have completed the setup, you can save the settings. Once you have saved the settings, your login via SSO is complete. On the next login, your SSO will be activated.

27042704

Login

Once your SSO is set up, you can log in to CleverTap using the login with the SSO option.

26742674

Once you click on Continue, you will be redirected to your IdP login page. Once you log in from the IdP, you will be redirected back to your CleverTap dashboard.


Did this page help you?