Setting up Single Sign On (SSO)

Monte Carlo supports Single Sign On (SSO) authentication via SAML 2.0. When you set up SSO on Monte Carlo, all users on your domain will be required to sign in using your Identity Provider (IdP).

Configuring your Identity Provider

In your Identity Provider, add Monte Carlo as a new site for SSO authentication. Depending on your provider, you will need the following information:

Supports Service Provider-initiated SSO: Yes
Supports Identity Provider-initiated SSO: No
Entity ID (Audience): urn:amazon:cognito:sp:us-east-1_OQBptzZme
ACS endpoint URL / Single SignOn URL / Recipient URL: https://montecarlodata.auth.us-east-1.amazoncognito.com/saml2/idpresponse
NameID Format: unspecified
Required metadata attributes: Note that the name of the attribute must be the URL in the first column.

Name ID / Claim Name

Okta

AWS SSO

OneLogin

Azure AD

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.email

${user:email}

Email

user.mail

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

user.firstName

${user:givenName}

First Name

user.givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

user.lastName

${user:familyName}

Last Name

user.surname

OneLogin: Use the "SAML Custom Connector (Advanced)" to create the application. During setup, make sure to set SAML Initiator to Service Provider and SAML nameID format to Unspecified. In the attribute mapping section, leave NameID value as Email . Also, do not forget to check the Include in SAML assertion box for each of the metadata attributes (email, first name, last name).

Azure AD: Make sure to check the Entity ID referencing Monte Carlo as the default. In the Use Attributes & Claims section, as Unique User Identifier (Name ID) use user.mail and set the name identifier format to Unspecified.

AWS SSO: In the attribute mappings section, set the mandatory Subject to ${user:email}.

Configuring Monte Carlo to require SSO

After configuring Monte Carlo as a new SSO site in your Identify Provider, you will need to complete your Single Sign On configuration by logging into Monte Carlo and clicking over to the Settings tab.

Within Settings, click on Single Sign On to configure the following:

Configuration

Details

Domains

A list of domains belonging to your organization that the SAML Identity Provider represents. All users from these domains will be allowed to access your Monte Carlo account and will require SSO authentication.

Metadata

You will need to define your Identity Provider in one of the following manners.

Metadata URL:
Your Identity Provider may offer a metadata URL once Monte Carlo is configured as a site. Monte Carlo will be able to use the URL to configure the provider on its end.

Metadata XML:
If your provider offers a metadata file, you may copy the contents of the file on Monte Carlo’s UI to complete your setup.

FAQs

I've configured my SSO, but when users click on the Monte Carlo app in our IdP, they are seeing an error. What's wrong?
We currently only support Service Provider-initiated SSO. That means that the log in flow has to start from our platform: getmontecarlo.com/signin.

Do you support any other IdPs?
We work with any IdP that supports SAML. We have outlined the set up information for the major IdPs, but if you have an IdP not outlined above, let us know, and we'd be happy to help you through the set up.

I've set up SSO in my workspace; what happens to my current users?
When SSO is enabled in your workspace, we automatically disable all username/password users. Any user who signs into your account after SSO is enabled is forced to authenticate through your IdP. You do not need to delete and reinvite users.

If I have SSO enabled in my workspace, do I still need to invite users to our account?
No, you do not. We support Just-in-Time provisioning (JIT) so any users who have a domain matching your SSO settings (i.e. @montecarlodata.com) will be automatically associated with your account. They simply need to put their email into the SSO login box on our login page: getmontecarlo.com/signin, and we will verify their access with your IdP and approve/deny access from there. We will default to the "Viewer" role for these users.

📘

Feature Request?

Wish we could support IdP-initiated log in flow? Click on the Intercom chat bot in your workspace and let us know!

Coming Soon!

We are building an out-of-the box Okta Monte Carlo app! That way, you no longer have to input the Monte Carlo SSO connection details into your IdP custom application. Just click on our preconfigured app, give Monte Carlo the IdP metadata link, and you will be ready to go! Let us know any feedback, or if there are any other IdPs you wish we supported out-of-the-box using the Intercom chat bot in your workspace.


Did this page help you?