SAML Single Sign-On

Available on Enterprise

Estimated reading time: 8 minutes

SAML 2.0 SSO connects clariBI to your enterprise identity provider so every clariBI sign-in flows through the same identity infrastructure that runs the rest of your business systems.

Overview

SAML and OAuth both delegate authentication to a third-party identity provider, but SAML is the standard most large organizations standardize on. It supports IdP-initiated login (users open clariBI from their corporate dashboard), works with virtually every enterprise identity stack, and gives security teams a single chokepoint for all access decisions.

Choose SAML when:

  • Your security team requires all SaaS apps to flow through one identity provider
  • You want users to launch clariBI from an Okta, Azure, or OneLogin app catalog tile
  • You need to support multiple identity providers in the same clariBI organization

If you only need to let users sign in with their Google or Microsoft accounts, the simpler OAuth SSO options may be enough.

Supported identity providers

clariBI supports any SAML 2.0-compliant identity provider. Customers most commonly run clariBI with:

  • Okta
  • Microsoft Entra ID (formerly Azure AD)
  • OneLogin
  • Auth0
  • JumpCloud
  • Google Workspace SAML

If your IdP supports SAML 2.0 with SP-initiated or IdP-initiated SSO, it will work with clariBI.

Multi-provider support

Enterprise customers can configure more than one SAML provider on the same clariBI organization. A common pattern is one provider for full-time employees (e.g. Okta tied to your HRIS) and a second provider for contractors or agencies (e.g. a JumpCloud directory). Each provider has its own connection settings and can be enabled or disabled independently.

Configuration walkthrough

1

In your identity provider, create a new SAML application for clariBI. Most IdPs have a generic "SAML 2.0 application" template.

2

Copy the IdP's metadata XML (or the metadata URL) and the sign-in URL from the IdP-side configuration screen.

3

In clariBI, sign in as an Owner and open Settings > Security > SSO Providers > SAML. Paste the metadata or URL into the connection form and save.

4

Test with a single user before rolling out org-wide. Click Test connection in the SAML settings page or sign in via your IdP.

5

Once verified, enforce SAML for all users in your organization (see Enforcement below).

Provider-specific notes

Okta

In Okta, create an Application of type "SAML 2.0". For attribute statements, map at minimum email, firstName, and lastName to the matching Okta user profile fields. clariBI uses the email attribute as the primary identity key.

Microsoft Entra ID (Azure AD)

In Entra ID, create an Enterprise Application and choose "Set up single sign-on" → "SAML". The required claims clariBI expects are the standard emailaddress, givenname, and surname claims that Entra ID provides by default.

SCIM provisioning

Note: clariBI does not currently support SCIM. User accounts are created just-in-time on the first SSO login. If you need automated deprovisioning or group sync, contact your account manager so we can prioritize SCIM on the roadmap.

Enforcement

After you have tested SAML with at least one user, enforce it for the rest of your organization in Settings > Security > SSO Providers > SAML > Enforcement. Once enforcement is on, password login is disabled for all members; everyone must come through your IdP.

Break-glass admin account: we strongly recommend leaving at least one Owner account exempt from SSO enforcement so you can recover access if your IdP is unreachable. You can mark a user as a break-glass account in the same enforcement panel.

Related

Ready to try clariBI?

Start your free 14-day trial. No credit card required.

Start Free Trial View Pricing