SSO
Last updated
Last updated
Organizations in CARTO can set up Single Sign-On (SSO) integrations, allowing users to log in with their company credentials. Once SSO is integrated, ACME employees, for example, will be able to access CARTO using their ACME login.
SSO is recommended for organizations with more than 10 users due to several key benefits:
Organizations in CARTO can configure Single Sign-On (SSO) to allow users to access CARTO with their company credentials. In practice, this means that after setting up SSO, ACME users will be able to log into CARTO using their ACME login.
SSO is recommended for all organizations with more than 10 users since it adds a few benefits:
Increased security through leveraging company security policies such as multi-factor authentication. Additionally, when offboarding users from the company they'll automatically lose access to CARTO as well.
The organization's IT department can decide which users can access CARTO at any time.
Better management of users with a unique login URL and just-in-time provisioning.
Access to advanced sharing and discoverability features such as Groups.
SSO integrations are only available for Enterprise Medium plans and above. Please get in touch at support@carto.com if you’re interested in this feature.
SSO integrations are handled manually by our Support Team and typically take around 1-2 days after the exchange of some basic information. In your request, please specify your Identity Provider (e.g., Okta) and the Authentication Protocol (e.g., SAML) you wish to use.
CARTO uses Auth0 as the Service Provider. Use this information to preemptively gather the relevant information and speed up the process.
CARTO supports SSO integrations using the following protocols:
SAML (Recommended)
OpenID Connect (OIDC)
LDAP
WS-Fed
OAuth 2.0
Most Identity Providers (IdPs) support at least one of these protocols, so if your Identity Provider is not in the following list, it should be supported as well. These are some of the most common services that can be set up as the SSO Identity Provider:
Okta
Azure Active Directory
Google Workspace
Salesforce
OneLogin
Auth0
PingForce
Many more...
CARTO has the ability to read the groups
attribute coming from your IdP to synchronize groups in CARTO. This system can be then used to share maps and other assets with specific groups of users.
Our Support Team will guide you through the process of setting up SSO Groups in CARTO. If you require this feature, please mention it in your request.
Groups are only available for Enterprise Large plans and above. Please get in touch at support@carto.com if you’re interested in this feature.
SSO integrations using OAuth 2.0 don't support Groups. If you need this feature, consider using SAML or OIDC instead.
Once the SSO integration is completed, the Invitations and Requests tabs in the Users and Groups settings will be disabled, as well as the Invite User button and the automatic enrollment checkbox in the General settings.
This is because organizations using SSO can only add new users through their Identity Provider (IdP). Adding new users directly from CARTO will no longer be possible to prioritize and enforce the SSO authentication method.
From this point onwards, users in your organization will have two ways to access your organization using their SSO login:
SSO URL: This URL is available in the settings and is unique to your organization. Opening it will redirect you to your SSO login.
SSO Discovery: In the CARTO login page, click on Login with SSO and type in your organization name. You will be redirected to your SSO login.
Users joining the organization through Single Sign-On will have the Default role set in the Users & Groups settings. For more information, read Managing user roles.
In the standard CARTO sign-up process, new users are required to complete a form with basic details such as their name, position, contact details, etc.
However, for organizations using SSO, this step can be bypassed with Just-in-Time (JIT) provisioning. When JIT is enabled, new users who access CARTO using their SSO credentials for the first time are automatically signed up, eliminating the need to provide any additional details.
To activate JIT Provisioning, simply navigate to the SSO tab in the Users & Groups settings and activate the Enable Just-in-time provisioning toggle.
Admins can choose to enforce SSO within their organization. When enabled, users that try to authenticate with other mechanisms, such as User/Password and Google Account will not be allowed to log in.
To enforce SSO, activate the Enforce Single Sign-On as the only authentication method toggle in the Users & Groups setting.
When enforcing SSO, non-SSO users will remain in the organization with their assets intact. But they will remain inaccesible as long as SSO is being enforced.