Organizations in CARTO can set up Single Sign-On (SSO) integrations so that they can use their own company identity to access CARTO. In practice, this means that, after integrating Single Sign-On, users from ACME will be able to access CARTO using their ACME login.

SSO is recommended for all organizations with more than 10 users since it adds a few benefits:

  • Increased security through leveraging their company security policies such as multi-factor authentication. Additionally, when offboarding users from the company they'll automatically lose access to CARTO as well.

  • The organization's IT department can decide which users can access CARTO at any time.

  • Better management of users with a unique login URL and just-in-time provisioning

  • Access to advanced sharing and discoverability features such as Groups

Single Sign-On (SSO) integrations are only available for Enterprise Medium plans and above. Please get in touch at if you’re interested in this feature.

Setting up SSO

The setup of an SSO integration in your organization is done manually via our Support Team. It usually takes around 1-2 days after some basic information exchange. In your request, please tell us what is your Identity Provider (eg: Okta) and which Authentication Protocol (eg: SAML) you would like to use.

CARTO uses Auth0 as the Service Provider. Use this information to preemptively gather the relevant information and speed up the process.

Supported Authentication Protocols

CARTO can set up SSO integrations using one of the following protocols:

  • SAML (Recommended)

  • OpenID Connect (OIDC)

  • LDAP

  • WS-Fed

  • OAuth 2.0

Supported Identity Providers

Most Identity Providers (IdPs) support at least one of these protocols, so if your Identity Provider is not in the following list, it should be supported as well. These are some of the most common services that can be set up as the SSO Identity Provider:

  • Okta

  • Azure Active Directory

  • Google Workspace

  • Salesforce

  • OneLogin

  • Auth0

  • PingForce

  • Many more...

Group mapping

CARTO has the ability to read and synchronize the groups attribute coming from your SSO to automatically maintain groups in CARTO. This system can be then used to share maps and other objects with specific groups of users.

Our Support Team will guide you through the process of mapping the groups attribute, please indicate in your request if you need this feature.

Groups are only available for Enterprise Large plans and above. Please get in touch at if you’re interested in this feature.

SSO integrations using OAuth 2.0 don't have support for Groups. If you need this feature, consider using SAML.

When SSO is enabled

After the SSO integration is finished, your users will have two ways to access your organization using their SSO login:

  1. SSO URL: This URL is available in the settings and is unique to your organization. Opening it will redirect you to your SSO login.

  2. SSO Discovery: Simply, at the login page, click on "Login with SSO" and type in your organization name. You will be redirected to the SSO login.

Just-in-time provisioning

All regular CARTO users that are joining the platform for the first time will have to answer a set of questions such as their name, position, etc.

If this "Just-in-time provisioning" setting under SSO is enabled, you will opt out of this process, and from that moment your SSO users accessing CARTO for the first time will sign up automatically, without having to input any additional information

Default role for new SSO users

Users joining the organization through Single Sign-On will follow the same Default role that you've configured in your Settings (from Users, Requests, or SSO). For more information on how the roles and the default role woworkrks, read Managing user roles.

Last updated