SAML SSO

Single sign-on (SSO) allows users of your Cryptlex account to log in using your existing SAML-enabled identity provider, such as Active Directory, OneLogin, Auth0, Okta, and many more. This reduces the number of passwords your users need to manage. It also makes provisioning new users a breeze.

Configuring single sign-on with SAML

To get started, go to Settings > Security in the Dashboard and click the Enable SAML SSO button. This will display the SAML SSO settings dialog where you can add details of your identity provider.

Cryptlex supports the SAML 2.0 standard, which provides a few ways to streamline configuration. Although each identity provider will have different interfaces and nuances, most provide configuration metadata as a URL. Since each identity provider is unique, we will only cover using Cryptlex with a generic SAML identity provider in this article.

The easiest way to configure SSO is to use a link to your identity provider's metadata file. Simply enter the URL in the SAML IdP Metadata URL input box and click Save. Cryptlex will download the configuration file, parse it, and configure everything.

Auto-Provisioning users

The SAML identity provider must be configured to provide four attributes: Email, FirstName, LastName, and Role. These attributes allow Cryptlex to properly identify the user and automatically provision users.

FirstName, LastName, and Role are only required if the auto-provisioning of users is enabled.

Email

Every user in your Cryptlex account is required to have a valid email address, even when using SSO. Since the identity provider is responsible for managing user information, it must send the user's email address to Cryptlex in its assertion. Identity providers use different naming conventions, so Cryptlex will look for an email address in the following attributes (case-insensitive) sequentially:

FirstName

Just like email addresses, identity providers may send the first name in several common fields. To provide out-of-the-box compatibility with most identity providers, Cryptlex will try to find the first name in the following attributes (case-insensitive):

LastName

Cryptlex looks for the last name in the following attributes (case-insensitive):

Role

If your identity provider supports custom attributes, you can set the Role attribute to automatically provision users with roles created in Cryptlex. Cryptlex looks for the role in the following attributes (case-insensitive):

Role mapping

You can easily map the roles created in Cryptlex (service provider roles) with your existing roles in the identity provider. Then depending on the identity provider role in the SAML assertion, Cryptlex will use the corresponding service provider role when auto-provisioning the user.