SSO

Organizations in CARTO can set up Single Sign-On (SSO) integrations, allowing users to log in with their company credentials. Once SSO is integrated, ACME employees, for example, will be able to access CARTO using their ACME login.

SSO is recommended for organizations with more than 10 users due to several key benefits:

Organizations in CARTO can configure Single Sign-On (SSO) to allow users to access CARTO with their company credentials. In practice, this means that after setting up SSO, ACME users will be able to log into CARTO using their ACME login.

SSO is recommended for all organizations with more than 10 users since it adds a few benefits:

• Increased security through leveraging company security policies such as multi-factor authentication. Additionally, when offboarding users from the company they'll automatically lose access to CARTO as well.

• The organization's IT department can decide which users can access CARTO at any time.

• Better management of users with a unique login URL and just-in-time provisioning.

• Access to advanced sharing and discoverability features such as Groups.

Setting up SSO

SSO integrations are handled manually by our Support Team and typically take around 1-2 days after the exchange of some basic information. In your request, please specify your Identity Provider (e.g., Okta) and the Authentication Protocol (e.g., SAML) you wish to use.

CARTO uses Auth0 as the Service Provider. Use this information to preemptively gather the relevant information and speed up the process.

Supported Authentication Protocols

CARTO supports SSO integrations using the following protocols:

• SAML 2.0 (Recommended)

• OpenID Connect (OIDC)

• LDAP

• WS-Fed

• OAuth 2.0

Supported Identity Providers

Most Identity Providers (IdPs) support at least one of these protocols, so if your Identity Provider is not in the following list, it should be supported as well. These are some of the most common services that can be set up as the SSO Identity Provider:

• Okta

• Azure Active Directory

• Google Workspace

• Salesforce

• OneLogin

• Auth0

• PingForce

• Many more...

Group mapping

Our Support Team will guide you through the process of setting up SSO Groups in CARTO. If you require this feature, please mention it in your request.

Managing users in organizations with SSO

This is because organizations using SSO can only add new users through their Identity Provider (IdP). Adding new users directly from CARTO will no longer be possible to prioritize and enforce the SSO authentication method.

From this point onwards, users in your organization will have two ways to access your organization using their SSO login:

1. SSO URL: This URL is available in the settings and is unique to your organization. Opening it will redirect you to your SSO login.

2. SSO Discovery: In the CARTO login page, click on Login with SSO and type in your organization name. You will be redirected to your SSO login.

Just-in-time provisioning

In the standard CARTO sign-up process, new users are required to complete a form with basic details such as their name, position, contact details, etc.

However, for organizations using SSO, this step can be bypassed with Just-in-Time (JIT) provisioning. When JIT is enabled, new users who access CARTO using their SSO credentials for the first time are automatically signed up, eliminating the need to provide any additional details.

To activate JIT Provisioning, simply navigate to the SSO tab in the Users & Groups settings and activate the Enable Just-in-time provisioning toggle.

Enforcing SSO

Admins can choose to enforce SSO within their organization. When enabled, users that try to authenticate with other mechanisms, such as User/Password and Google Account will not be allowed to log in.

To enforce SSO, activate the Enforce Single Sign-On as the only authentication method toggle in the Users & Groups setting.