SSO / SAML Setup Enterprise
Configure SAML-based Single Sign-On (SSO) so your team can authenticate to Controlinfra using your identity provider (IdP).
Overview
SAML SSO allows your organization to:
- Enforce authentication through your corporate identity provider
- Automatically provision and deprovision users
- Apply your existing access policies to Controlinfra
- Eliminate password management for Controlinfra access
Supported Identity Providers
Controlinfra supports any SAML 2.0-compliant identity provider, including:
- Okta
- Azure Active Directory (Entra ID)
- Google Workspace
- OneLogin
- JumpCloud
- PingIdentity
- Auth0
Prerequisites
Before configuring SSO, you need:
- An Enterprise plan subscription
- Organization Owner or Admin role in Controlinfra
- Admin access to your identity provider
Configuration Steps
Step 1: Get Controlinfra SAML Details
- Go to Settings → Security → SSO/SAML
- Note the following values:
| Field | Value |
|---|---|
| Entity ID (Audience URI) | https://api.controlinfra.com/saml/metadata/<org-id> |
| ACS URL (Reply URL) | https://api.controlinfra.com/saml/acs/<org-id> |
| Sign-on URL | https://console.controlinfra.com/sso/<org-slug> |
Step 2: Configure Your Identity Provider
Create a new SAML application in your IdP using the values from Step 1.
Okta Setup
- Go to Applications → Create App Integration
- Select SAML 2.0
- Enter:
- Single sign-on URL: Your ACS URL from Step 1
- Audience URI: Your Entity ID from Step 1
- Name ID format: EmailAddress
- Configure attribute statements (see Attribute Mapping)
- Click Finish
- Copy the Metadata URL or download the certificate
Azure AD (Entra ID) Setup
- Go to Enterprise Applications → New Application → Create your own
- Select Integrate any other application (Non-gallery)
- Go to Single sign-on → SAML
- Edit Basic SAML Configuration:
- Identifier (Entity ID): Your Entity ID from Step 1
- Reply URL (ACS URL): Your ACS URL from Step 1
- Configure Attributes & Claims (see Attribute Mapping)
- Download Certificate (Base64) from the SAML Signing Certificate section
- Copy the Login URL from the Set up section
Google Workspace Setup
- Go to Admin Console → Apps → Web and mobile apps → Add App → Add custom SAML app
- Copy the SSO URL and download the Certificate
- Enter:
- ACS URL: Your ACS URL from Step 1
- Entity ID: Your Entity ID from Step 1
- Name ID format: EMAIL
- Add attribute mappings (see Attribute Mapping)
- Click Finish and enable the app for your organizational units
Step 3: Configure Controlinfra
- Go to Settings → Security → SSO/SAML
- Enter the details from your IdP:
| Field | Description |
|---|---|
| IdP SSO URL | The login URL from your identity provider |
| IdP Entity ID | The entity ID / issuer from your identity provider |
| Certificate | The X.509 signing certificate (PEM format) |
- Click Save Configuration
Step 4: Test the Connection
- Click Test SSO Connection
- You will be redirected to your IdP to authenticate
- After successful authentication, you are redirected back to Controlinfra
- Verify the test result shows "Connection successful"
WARNING
Do not enforce SSO until you have successfully tested the connection. Enforcing with a misconfigured IdP can lock out all non-owner members.
Step 5: Enforce SSO (Optional)
Once tested, you can require all members to authenticate via SSO:
- Toggle Enforce SSO for all members
- Confirm the change
When enforced:
- Members must sign in through the IdP
- Direct email/password login is disabled
- The organization owner can always sign in directly as a fallback
Attribute Mapping
Configure your IdP to send the following SAML attributes:
| Attribute | Required | Description |
|---|---|---|
email | Yes | User's email address (used as the unique identifier) |
firstName | No | User's first name |
lastName | No | User's last name |
displayName | No | User's display name |
role | No | Controlinfra role (owner, admin, member, viewer) |
TIP
If the role attribute is not provided, new users provisioned via SSO are assigned the organization's default role (typically Member).
SCIM Provisioning
SCIM (System for Cross-domain Identity Management) automates user provisioning and deprovisioning.
Enabling SCIM
- Go to Settings → Security → SSO/SAML → SCIM tab
- Click Enable SCIM
- Copy the SCIM Base URL and Bearer Token
- Configure your IdP's SCIM integration with these values
SCIM Capabilities
| Operation | Description |
|---|---|
| Create User | Automatically adds user to the organization when assigned in the IdP |
| Update User | Syncs profile changes from the IdP |
| Deactivate User | Removes user from the organization when unassigned in the IdP |
| Group Sync | Maps IdP groups to Controlinfra roles |
SCIM Endpoint
Base URL: https://api.controlinfra.com/scim/v2/<org-id>Supported resources:
/Users— User provisioning/Groups— Group/role mapping
Troubleshooting
Common Issues
| Issue | Solution |
|---|---|
| "Invalid SAML response" | Verify the ACS URL and Entity ID match exactly in your IdP and Controlinfra |
| "Certificate mismatch" | Re-download the certificate from your IdP and update it in Controlinfra |
| "User not found" | Ensure the email attribute is mapped correctly and the user is assigned to the app in the IdP |
| Redirect loop | Check that the Sign-on URL is configured correctly in your IdP |
| Locked out | The organization owner can always sign in directly to fix SSO configuration |
Checking SAML Assertions
Use your browser's developer tools to inspect SAML responses:
- Open Network tab in DevTools
- Initiate SSO login
- Look for the POST to the ACS URL
- Decode the
SAMLResponseparameter (Base64) to inspect the XML
Next Steps
- IP Allowlist — Add network-level security
- Organization Management — Manage members and roles
- Billing & Subscription — Manage your Enterprise plan