LogoLogo
HomeAcademyLoginTry for free
  • Welcome
  • What's new
    • Q2 2025
    • Q1 2025
    • Q4 2024
    • Q3 2024
    • Q2 2024
    • Q1 2024
    • Q4 2023
    • Q3 2023
    • Q2 2023
    • Q1 2023
    • Q4 2022
    • Q3 2022
  • FAQs
    • Accounts
    • Migration to the new platform
    • User & organization setup
    • General
    • Builder
    • Workflows
    • Data Observatory
    • Analytics Toolbox
    • Development Tools
    • Deployment Options
    • CARTO Basemaps
    • CARTO for Education
    • Support Packages
    • Security and Compliance
  • Getting started
    • What is CARTO?
    • Quickstart guides
      • Connecting to your data
      • Creating your first map
      • Creating your first workflow
      • Developing your first application
    • CARTO Academy
  • CARTO User Manual
    • Overview
      • Creating your CARTO organization
      • CARTO Cloud Regions
      • CARTO Workspace overview
    • Maps
      • Data sources
        • Simple features
        • Spatial Indexes
        • Pre-generated tilesets
        • Rasters
        • Defining source spatial data
        • Managing data freshness
        • Changing data source location
      • Layers
        • Point
          • Grid point aggregation
          • H3 point aggregation
          • Heatmap point aggregation
          • Cluster point aggregation
        • Polygon
        • Line
        • Grid
        • H3
        • Raster
        • Zoom to layer
      • Widgets
        • Formula widget
        • Category widget
        • Pie widget
        • Histogram widget
        • Range widget
        • Time Series widget
        • Table widget
      • SQL Parameters
        • Date parameter
        • Text parameter
        • Numeric parameter
        • Publishing SQL parameters
      • Interactions
      • Legend
      • Basemaps
        • Basemap selector
      • AI Agents
      • SQL analyses
      • Map view modes
      • Map description
      • Feature selection tool
      • Search locations
      • Measure distances
      • Exporting data
      • Download PDF reports
      • Managing maps
      • Publishing and sharing maps
        • Map settings for viewers
        • Map preview for editors
        • Collaborative maps
        • Embedding maps
        • URL parameters
      • Performance considerations
    • Workflows
      • Workflow canvas
      • Results panel
      • Components
        • Aggregation
        • Custom
        • Data Enrichment
        • Data Preparation
        • Generative AI
        • Input / Output
        • Joins
        • Parsers
        • Raster Operations
        • Spatial Accessors
        • Spatial Analysis
        • Spatial Constructors
        • Spatial Indexes
        • Spatial Operations
        • Statistics
        • Tileset Creation
        • BigQuery ML
        • Snowflake ML
        • Google Earth Engine
        • Google Environment APIs
        • Telco Signal Propagation Models
      • Data Sources
      • Scheduling workflows
      • Sharing workflows
      • Using variables in workflows
      • Executing workflows via API
      • Temporary data in Workflows
      • Extension Packages
      • Managing workflows
      • Workflows best practices
    • Data Explorer
      • Creating a map from your data
      • Importing data
        • Importing rasters
      • Geocoding data
      • Optimizing your data
    • Data Observatory
      • Terminology
      • Browsing the Spatial Data Catalog
      • Subscribing to public and premium datasets
      • Accessing free data samples
      • Managing your subscriptions
      • Accessing your subscriptions from your data warehouse
        • Access data in BigQuery
        • Access data in Snowflake
        • Access data in Databricks
        • Access data in Redshift
        • Access data in PostgreSQL
    • Connections
      • Google BigQuery
      • Snowflake
      • Databricks
      • Amazon Redshift
      • PostgreSQL
      • CARTO Data Warehouse
      • Sharing connections
      • Deleting a connection
      • Required permissions
      • IP whitelisting
      • Customer data responsibilities
    • Applications
    • Settings
      • Understanding your organization quotas
      • Activity Data
        • Activity Data Reference
        • Activity Data Examples
        • Activity Data Changelog
      • Users and Groups
        • Inviting users to your organization
        • Managing user roles
        • Deleting users
        • SSO
        • Groups
        • Mapping groups to user roles
      • CARTO Support Access
      • Customizations
        • Customizing appearance and branding
        • Configuring custom color palettes
        • Configuring your organization basemaps
        • Enabling AI Agents
      • Advanced Settings
        • Managing applications
        • Configuring S3 Bucket for Redshift Imports
        • Configuring OAuth connections to Snowflake
        • Configuring OAuth U2M connections to Databricks
        • Configuring S3 Bucket integration for RDS for PostgreSQL Exports in Builder
        • Configuring Workload Identity Federation for BigQuery
      • Data Observatory
      • Deleting your organization
    • Developers
      • Managing Credentials
        • API Base URL
        • API Access Tokens
        • SPA OAuth Clients
        • M2M OAuth Clients
      • Named Sources
  • Data and Analysis
    • Analytics Toolbox Overview
    • Analytics Toolbox for BigQuery
      • Getting access
        • Projects maintained by CARTO in different BigQuery regions
        • Manual installation in your own project
        • Installation in a Google Cloud VPC
        • Core module
      • Key concepts
        • Tilesets
        • Spatial indexes
      • SQL Reference
        • accessors
        • clustering
        • constructors
        • cpg
        • data
        • http_request
        • import
        • geohash
        • h3
        • lds
        • measurements
        • placekey
        • processing
        • quadbin
        • random
        • raster
        • retail
        • routing
        • s2
        • statistics
        • telco
        • tiler
        • transformations
      • Guides
        • Running queries from Builder
        • Working with Raster data
      • Release notes
      • About Analytics Toolbox regions
    • Analytics Toolbox for Snowflake
      • Getting access
        • Native App from Snowflake's Marketplace
        • Manual installation
      • Key concepts
        • Spatial indexes
        • Tilesets
      • SQL Reference
        • accessors
        • clustering
        • constructors
        • data
        • http_request
        • import
        • h3
        • lds
        • measurements
        • placekey
        • processing
        • quadbin
        • random
        • raster
        • retail
        • s2
        • statistics
        • tiler
        • transformations
      • Guides
        • Running queries from Builder
        • Working with Raster data
      • Release Notes
    • Analytics Toolbox for Databricks
      • Getting access
        • Personal (former Single User) cluster
        • Standard (former Shared) cluster
      • Reference
        • lds
        • tiler
      • Guides
      • Release Notes
    • Analytics Toolbox for Redshift
      • Getting access
        • Manual installation in your database
        • Installation in an Amazon Web Services VPC
        • Core version
      • Key concepts
        • Tilesets
        • Spatial indexes
      • SQL Reference
        • clustering
        • constructors
        • data
        • http_request
        • import
        • lds
        • placekey
        • processing
        • quadbin
        • random
        • s2
        • statistics
        • tiler
        • transformations
      • Guides
        • Running queries from Builder
      • Release Notes
    • Analytics Toolbox for PostgreSQL
      • Getting access
        • Manual installation
        • Core version
      • Key concepts
        • Tilesets
        • Spatial Indexes
      • SQL Reference
        • h3
        • quadbin
        • tiler
      • Guides
        • Creating spatial index tilesets
        • Running queries from Builder
      • Release Notes
    • CARTO + Python
      • Installation
      • Authentication Methods
      • Visualizing Data
      • Working with Data
        • How to work with your data in the CARTO Data Warehouse
        • How to access your Data Observatory subscriptions
        • How to access CARTO's Analytics Toolbox for BigQuery and create visualizations via Python notebooks
        • How to access CARTO’s Analytics Toolbox for Snowflake and create visualizations via Python notebooks
        • How to visualize data from Databricks
      • Reference
    • CARTO QGIS Plugin
  • CARTO for Developers
    • Overview
    • Key concepts
      • Architecture
      • Libraries and APIs
      • Authentication methods
        • API Access Tokens
        • OAuth Access Tokens
        • OAuth Clients
      • Connections
      • Data sources
      • Visualization with deck.gl
        • Basemaps
          • CARTO Basemap
          • Google Maps
            • Examples
              • Gallery
              • Getting Started
              • Basic Examples
                • Hello World
                • BigQuery Tileset Layer
                • Data Observatory Tileset Layer
              • Advanced Examples
                • Arc Layer
                • Extrusion
                • Trips Layer
            • What's New
          • Amazon Location
            • Examples
              • Hello World
              • CartoLayer
            • What's New
        • Rapid Map Prototyping
      • Charts and widgets
      • Filtering and interactivity
      • Summary
    • Quickstart
      • Make your first API call
      • Visualize your first dataset
      • Create your first widget
    • Guides
      • Build a public application
      • Build a private application
      • Build a private application using SSO
      • Visualize massive datasets
      • Integrate CARTO in your existing application
      • Use Boundaries in your application
      • Avoid exposing SQL queries with Named Sources
      • Managing cache in your CARTO applications
    • Reference
      • Deck (@deck.gl reference)
      • Data Sources
        • vectorTableSource
        • vectorQuerySource
        • vectorTilesetSource
        • h3TableSource
        • h3QuerySource
        • h3TilesetSource
        • quadbinTableSource
        • quadbinQuerySource
        • quadbinTilesetSource
        • rasterSource
        • boundaryTableSource
        • boundaryQuerySource
      • Layers (@deck.gl/carto)
      • Widgets
        • Data Sources
        • Server-side vs. client-side
        • Models
          • getFormula
          • getCategories
          • getHistogram
          • getRange
          • getScatter
          • getTimeSeries
          • getTable
      • Filters
        • Column filters
        • Spatial filters
      • CARTO APIs Reference
    • Release Notes
    • Examples
    • CARTO for React
      • Guides
        • Getting Started
        • Views
        • Data Sources
        • Layers
        • Widgets
        • Authentication and Authorization
        • Basemaps
        • Look and Feel
        • Query Parameters
        • Code Generator
        • Sample Applications
        • Deployment
        • Upgrade Guide
      • Examples
      • Library Reference
        • Introduction
        • API
        • Auth
        • Basemaps
        • Core
        • Redux
        • UI
        • Widgets
      • Release Notes
  • CARTO Self-Hosted
    • Overview
    • Key concepts
      • Architecture
      • Deployment requirements
    • Quickstarts
      • Single VM deployment (Kots)
      • Orchestrated container deployment (Kots)
      • Advanced Orchestrated container deployment (Helm)
    • Guides
      • Guides (Kots)
        • Configure your own buckets
        • Configure an external in-memory cache
        • Enable Google Basemaps
        • Enable the CARTO Data Warehouse
        • Configure an external proxy
        • Enable BigQuery OAuth connections
        • Configure Single Sign-On (SSO)
        • Use Workload Identity in GCP
        • High availability configuration for CARTO Self-hosted
        • Configure your custom service account
      • Guides (Helm)
        • Configure your own buckets (Helm)
        • Configure an external in-memory cache (Helm)
        • Enable Google Basemaps (Helm)
        • Enable the CARTO Data Warehouse (Helm)
        • Configure an external proxy (Helm)
        • Enable BigQuery OAuth connections (Helm)
        • Configure Single Sign-On (SSO) (Helm)
        • Use Workload Identity in GCP (Helm)
        • Use EKS Pod Identity in AWS (Helm)
        • Enable Redshift imports (Helm)
        • Migrating CARTO Self-hosted installation to an external database (Helm)
        • Advanced customizations (Helm)
        • Configure your custom service account (Helm)
    • Maintenance
      • Maintenance (Kots)
        • Updates
        • Backups
        • Uninstall
        • Rotating keys
        • Monitoring
        • Change the Admin Console password
      • Maintenance (Helm)
        • Monitoring (Helm)
        • Rotating keys (Helm)
        • Uninstall (Helm)
        • Backups (Helm)
        • Updates (Helm)
    • Support
      • Get debug information for Support (Kots)
      • Get debug information for Support (Helm)
    • CARTO Self-hosted Legacy
      • Key concepts
        • Architecture
        • Deployment requirements
      • Quickstarts
        • Single VM deployment (docker-compose)
      • Guides
        • Configure your own buckets
        • Configure an external in-memory cache
        • Enable Google Basemaps
        • Enable the CARTO Data Warehouse
        • Configure an external proxy
        • Enable BigQuery OAuth connections
        • Configure Single Sign-On (SSO)
        • Enable Redshift imports
        • Configure your custom service account
        • Advanced customizations
        • Migrating CARTO Self-Hosted installation to an external database
      • Maintenance
        • Updates
        • Backups
        • Uninstall
        • Rotating keys
        • Monitoring
      • Support
    • Release Notes
  • CARTO Native App for Snowflake Containers
    • Deploying CARTO using Snowflake Container Services
  • Get Help
    • Legal & Compliance
    • Previous libraries and components
    • Migrating your content to the new CARTO platform
Powered by GitBook
On this page

Was this helpful?

Export as PDF

Last updated 1 year ago

Was this helpful?

In this guide you will learn how to build a custom application that is integrated with your own Identity Provider (IdP) to authenticate and authorize your users, in a process typically known as Single Sign-On (SSO).

After completing this guide, you'll learn how to:

  • Set up an SSO integration between CARTO and your IdP

  • Modify a regular private application to use your SSO integration

  • Set up Just-in-time provisioning in your CARTO organization

  • Modify your application to use just-in-time provisioning for new users

Scaffolding your application

To give you a quickstart, we're providing a sample private application with the changes covered in the . We will then add the specific code that we need to use SSO.

After that, you should have a project up and running at

Setting up the SSO integration

Single Sign-On (SSO) integrations are only available for Enterprise Medium plans and above. Please get in touch at if you’re interested in this feature.

From now on, we'll be assuming that a valid SSO integration has already been enabled and users are already accessing the CARTO Workspace using your Identity Provider.

Leveraging SSO in your application

To start using SSO in your application to seamlessly authenticate users, we need to add the SSO organization ID (provided by our support team after the SSO integration has been configured) to the .env file:

Then, we need to add the organization property to the authorizationParams property used to create the Auth0Client:

When users now click on the "Login" button, they will be redirected to their corporate login page where they will need to enter their credentials. After authentication is completed, we will be able to call the getTokenSilently method that will return an access token used to authorize the requests to the CARTO API.

🎉 Great! Your CARTO application is now using Single Sign-On to authenticate users.

However, at this point, your app won't be able to authenticate brand-new users that didn't exist previously in CARTO. These users will still be required to access first through the regular CARTO Workspace.

If you need to handle the provisioning of new users, keep advancing on this guide.

Setting up Just-in-time provisioning

To continue with this guide and seamlessly onboard new users into your application using just-in-time, enable this setting.

Leveraging Just-in-time provisioning in your application

The first step to onboard new users is to register a new environment variable with your Accounts URL. Your Accounts URL is the base URL where users go for login/signup.

  • For cloud deployments, this is always https://app.carto.com

  • For self-hosted deployments, this is a custom URL, like https://carto-instance.acme.com

Add this line to your .env file with your Accounts URL.

Finally, we need to update our authentication flow to accept new users, redirect them to the proper just-in-time provisioning flow, and complete their first login flow after CARTO sends them back to the application. This flow takes a few seconds and no user input is required, making it seamless and easy for new users to authenticate and use your application.

To make things easier, just replace your auth.ts file with the following code:

Testing our SSO application with a new user

With these changes, our application now displays a login button that redirects the user to your Identity Provider (IdP). If the user already exists in CARTO, they will go straight to your app. If the user is completely new, they will also go straight to your app, but a new CARTO user will be provisioned in the process.

Here's what the experience looks like for a completely new user, after enabling just-in-time provisioning.

🎉 Congratulations! Your CARTO application is now using Single Sign-On to authenticate users and is also able to seamlessly create new users if they access your app for the first time.

What's next?

Now that your application is successfully authenticating users via SSO, let's focus on creating interesting content.

A prerequisite for this guide is to set up the integration in your CARTO organization. When this integration is enabled, CARTO delegates authentication to your Identity Provider (IdP), and users who have not logged in are redirected to your IdP's login page.

After the user is authenticated, some of the user information from the IdP is available to CARTO, including the groups that this user is a member of. We synchronize this information as covered in the section in CARTO Workspace.

When SSO is enabled, you can configure CARTO to create users as soon as they successfully log in for the first time using your IdP login flow, without any additional steps or signup questions. We call this process Just-in-time provisioning. Check our documentation to learn .

We recommend you to visit to learn more about the visualizations you can create in deck.gl. There are many examples in our that might be useful to improve your application!

VITE_ORGANIZATION_ID=XXXXXXXX
auth0Client = await createAuth0Client({
  domain: 'auth.carto.com',
  clientId,
  authorizationParams: {
    redirect_uri: window.location.origin,
    audience: 'carto-cloud-native-api',
    organization: import.meta.env.VITE_ORGANIZATION_ID
  }
})
VITE_ACCOUNTS_URL=XXXXXXXXX
import { Auth0Client, createAuth0Client } from '@auth0/auth0-spa-js';

let auth0Client: Auth0Client

// This is a new parameter to force new users to log in after CARTO has provisioned them
const FORCE_LOGIN_PARAM = 'forceLogin'

export async function initAuth() {
  let accessToken: string | undefined;

  const clientId = import.meta.env.VITE_CLIENT_ID;
  const organizationId = import.meta.env.VITE_ORGANIZATION_ID;
  const accountsUrl = import.meta.env.VITE_ACCOUNTS_URL;

  auth0Client = await createAuth0Client({
    domain: 'auth.carto.com',
    clientId,
    authorizationParams: {
      redirect_uri: window.location.origin,
      audience: 'carto-cloud-native-api',
      organization: organizationId // your SSO organization ID, as provided by CARTO support
    }
  })
  
  // This is the new authentication flow that manages just-in-time provisioning for new users
  const hasForceLogin = location.search.includes(`${FORCE_LOGIN_PARAM}=`)

  if (location.search.includes('state=') && 
      (location.search.includes('code=') || 
      location.search.includes('error='))) {
    await auth0Client.handleRedirectCallback();
    window.history.replaceState({}, document.title, '/');
  }

  const isAuthenticated = await auth0Client.isAuthenticated();
  const appEl = document.getElementById('app');

  if (hasForceLogin) {
    auth0Client.loginWithRedirect()
  } else if (isAuthenticated) {
    const userProfile = await auth0Client.getUser();
    const hasUserMetadata = userProfile[`http://app.carto.com/user_metadata`];
    if (hasUserMetadata) {
      appEl?.classList.add('isAuthenticated');
      accessToken = await auth0Client.getTokenSilently();

      const profileEl = document.getElementById('profile')!;
      profileEl.innerHTML = `
        <p>${userProfile.name}</p>
        <img width="50px" height="50px" src='${userProfile.picture}' />
      `;
    } else {
      // No organizations associated with the user, we need to redirect to app.carto.com to complete the signup process
      const redirectAccountsUri = `${accountsUrl}sso/${organizationId}`
      const searchParams = new URLSearchParams({
        redirectUri: `${window.location.origin}?${FORCE_LOGIN_PARAM}=true`,
      });
      window.location.href = `${redirectAccountsUri}?${searchParams}`;
    }
  } else {
    appEl?.classList.remove('isAuthenticated');
  }
  
  // Logout
  const logoutButton = document.getElementById('logout');
  logoutButton?.addEventListener('click', (e) => {
    e.preventDefault();
    auth0Client.logout();
  });

  // Login
  const loginButton = document.getElementById('login');
  loginButton?.addEventListener('click', (e) => {
    e.preventDefault();
    auth0Client.loginWithRedirect();
  });
  
  return accessToken
}
  1. CARTO for Developers
  2. Guides

Build a private application using SSO

Use your company's identity management system to seamlessly control access to your application

PreviousBuild a private applicationNextVisualize massive datasets
  • Scaffolding your application
  • Setting up the SSO integration
  • Leveraging SSO in your application
  • Setting up Just-in-time provisioning
  • Leveraging Just-in-time provisioning in your application
  • Testing our SSO application with a new user
  • What's next?
git clone https://github.com/CartoDB/carto-for-developers-guides.git
cp -r carto-for-developers-guides/private-app sso-app
cd sso-app
npm install
npm run dev
Build a private application guide
https://127.0.0.1:5173/
support@carto.com
S
ingle Sign-On (SSO)
Groups
Visualization with deck.gl
gallery
how to configure Just-in-time provisioning in CARTO Workspace