Authentication & SSO
Single Sign-On (SSO) lets your team log into CARTO using their existing work credentials – no separate passwords to remember. SSO is recommended for organizations with more than 10 users due to several key benefits:
Improves security by using your company's existing security policies (like multi-factor authentication) and automatically removes CARTO access when employees leave
Gives IT control over who can access CARTO at any time
Simplifies user management with a custom login URL and automatic user provisioning
Unlocks advanced features like Groups for better sharing and collaboration
Setting up SSO
SSO integrations are handled by our Support Team and typically take around 1-2 days after the exchange of some basic information. In your request, please specify your Identity Provider (e.g., Okta) and the Authentication Protocol (e.g., SAML) you wish to use.
CARTO uses Auth0 as the Service Provider. Use this information to preemptively gather the relevant information and speed up the process.
Supported Authentication Protocols
CARTO supports SSO integrations using the following protocols:
SAML 2.0 (Recommended)
OpenID Connect (OIDC)
LDAP
WS-Fed
OAuth 2.0
Supported Identity Providers
Most Identity Providers (IdPs) support at least one of these protocols, so if your Identity Provider is not in the following list, it should be supported as well. These are some of the most common services that can be set up as the SSO Identity Provider:
Okta
Azure Active Directory
Google Workspace
Salesforce
OneLogin
Auth0
PingForce
Many more...
SSO Groups
CARTO has the ability to read the groups attribute coming from your IdP to synchronize groups in CARTO. These groups can then be used to share maps and other assets with groups of users and manage user roles automatically.
Our Support Team will guide you through the process of setting up SSO Groups in CARTO. If you require this feature, please mention it in your request.
SSO integrations using OAuth 2.0 don't support Groups. If you need this feature, consider using SAML or OIDC instead.
Managing users in organizations with SSO
After setting up SSO, your team can log in using SSO in two ways:
SSO URL: This URL is available in the settings and is unique to your organization. Opening it will redirect you to your SSO login.
SSO Discovery: In the CARTO login page, click on Login with SSO and type in your organization name. You will be redirected to your SSO login.
Just-in-time provisioning
In the standard CARTO signup process, new users are required to complete a form with basic details such as their name, role, contact details, etc.
However, for organizations using SSO, this step can be bypassed with Just-in-Time (JIT) provisioning. When JIT is enabled, new users who access CARTO using their SSO credentials for the first time are automatically signed up, eliminating the need to provide any additional details.
To activate JIT Provisioning, simply navigate to the Authentication and SSO section in the Settings and activate the Enable Just-in-time provisioning toggle.
Enforcing SSO
Admins can choose to enforce SSO within their organization. When enabled, users that try to authenticate with other mechanisms, such as User/Password and Google Account will not be allowed to log in.
To enforce SSO, activate the Enforce Single Sign-On as the only authentication method toggle in the Authentication & SSO settings.
Last updated
Was this helpful?