Single Sign On (SSO)

Monte Carlo supports Single Sign On (SSO) authentication via SAML 2.0. When you set up SSO on Monte Carlo, all users on your domain will be required to sign in using your Identity Provider (IdP).

Configuring your Identity Provider

In your Identity Provider, add Monte Carlo as a new site for SSO authentication. Depending on your provider, you will need the following information:

Supports Service Provider-initiated SSO: Yes
Supports Identity Provider-initiated SSO: No


SP v IdP Log in Flows

Service Provider-initiated SSO means Monte Carlo supports starting your log in flow directly from our home page:

Identity Provider-initiated SSO means Monte Carlo does not currently support logging in directly from your IdP. This means any users trying to access MC by clicking on the tile in your IdP will result in a error. Please see the following guide for options around this restriction.

Entity ID (Audience): urn:amazon:cognito:sp:us-east-1_OQBptzZme
ACS endpoint URL / Single SignOn URL / Recipient URL:
NameID Format: unspecified
Required metadata attributes: Note that the name of the attribute must be the URL in the first column.

Name ID / Claim NameOktaAWS SSOOneLoginAzure AD${user:email}Emailuser.mail${user:givenName}First Nameuser.givenname${user:familyName}Last Nameuser.surname


In Okta, this should look like below.



Use the "SAML Custom Connector (Advanced)" to create the application.

During setup, make sure to set:

  • SAML Initiator to Service Provider
  • SAML nameID format to Unspecified
  • Recipient field to the value given at the start of this document.
  • In the attribute mapping section, leave NameID value as Email .

Configure these claims (attribute mappings) by setting the appropriate name and values:

Check the Include in SAML assertion box for each of the metadata attributes (email, first name, last name).

After SSO has been enabled in Monte Carlo, you can input the SSO bookmark link on the Login URL field to let users access Monte Carlo through the OneLogin Portal (read below on Identity Provider Initiated Login for instructions to get the SSO bookmark link).

Azure AD

Make sure to check the Entity ID referencing Monte Carlo as the default. In the Use Attributes & Claims section, as Unique User Identifier (Name ID) use user.mail and set the name identifier format to Unspecified.

Configure these claims by setting the appropriate name and values:


In the attribute mappings section, set the mandatory Subject to ${user:email}.

Configure these claims by setting the appropriate name and values:

Google SSO

You will need to create a custom SAML app through the Google Admin page. The Name ID will be 'Basic Information > Primary Email' and the Name ID format will be 'UNSPECIFIED'. For attribute mapping you will need to map the default Google Basic Information fields Primary email, First name and Last name to the URLs that are shared in the table above under 'Name ID / Claim Name'. It should look like this:


In MyID, you will have to include the Name ID/Claim Names listed above as Labels for your Attributes, and each attribute should be in the unspecified format. The top level attribute should be Email in the unspecified format.

Configuring Monte Carlo to require SSO

After configuring Monte Carlo as a new SSO site in your Identify Provider, you will need to complete your Single Sign On configuration by logging into Monte Carlo and clicking over to the Settings tab.

Within Settings, click on Single Sign On to configure the following:

Domains or Account IdentifiersA list of domains or account identifiers belonging to your organization that the SAML Identity Provider represents. An account identifier is any arbitrary string, for example, your Monte Carlo account name. Users will be redirected to the Identity Provider based on their email domain or account identifier, and will be allowed access to your Monte Carlo account after successful SSO authentication. Example: (domain) OR acme (account identifier).
MetadataYou will need to define your Identity Provider in one of the following manners.

Metadata URL:
Your Identity Provider may offer a metadata URL once Monte Carlo is configured as a site. Monte Carlo will be able to use the URL to configure the provider on its end.

Metadata XML:
If your provider offers a metadata file, you may copy the contents of the file on Monte Carlo’s UI to complete your setup.
Default Authorization GroupSpecify a default authorization group to which users will be added upon login. Without this default setting, users logging in through SSO won't be associated with any authorization group, preventing them from using Monte Carlo.
Additionally, you can map authorization groups during user login using SSO Group mapping.

Identity Provider Initiated Login

Though there isn't yet a true IdP initiated login, you can create a Monte Carlo SSO bookmark link in your IdP that will automatically authenticate users so they do not need to re-enter credentials.

You can copy this link from within Settings > Users > Single Sign On.

Please note that the link will regenerate each time you reactivate the Single Sign-On (SSO) feature. If you disable and later reconfigure it, ensure to copy the updated link.


Please see our SSO Troubleshooting Steps and FAQs.