Monte Carlo supports Single Sign On (SSO) authentication via SAML 2.0. When you set up SSO on Monte Carlo, all users on your domain will be required to sign in using your Identity Provider (IdP).
In your Identity Provider, add Monte Carlo as a new site for SSO authentication. Depending on your provider, you will need the following information:
Supports Service Provider-initiated SSO:
Supports Identity Provider-initiated SSO:
Entity ID (Audience):
ACS endpoint URL / Single SignOn URL / Recipient URL:
Required metadata attributes: Note that the name of the attribute must be the URL in the first column.
Name ID / Claim Name
OneLogin: Use the "SAML Custom Connector (Advanced)" to create the application. During setup, make sure to set SAML Initiator to
Service Provider and SAML nameID format to
Unspecified. In the attribute mapping section, leave NameID value as
Email . Also, do not forget to check the Include in SAML assertion box for each of the metadata attributes (email, first name, last name).
Azure AD: Make sure to check the Entity ID referencing Monte Carlo as the default. In the Use Attributes & Claims section, as Unique User Identifier (Name ID) use
user.mail and set the name identifier format to
AWS SSO: In the attribute mappings section, set the mandatory Subject to
After configuring Monte Carlo as a new SSO site in your Identify Provider, you will need to complete your Single Sign On configuration by logging into Monte Carlo and clicking over to the Settings tab.
Within Settings, click on Single Sign On to configure the following:
A list of domains belonging to your organization that the SAML Identity Provider represents. All users from these domains will be allowed to access your Monte Carlo account and will require SSO authentication.
You will need to define your Identity Provider in one of the following manners.
I've configured my SSO, but when users click on the Monte Carlo app in our IdP, they are seeing an error. What's wrong?
We currently only support Service Provider-initiated SSO. That means that the log in flow has to start from our platform: getmontecarlo.com/signin.
Do you support any other IdPs?
We work with any IdP that supports SAML. We have outlined the set up information for the major IdPs, but if you have an IdP not outlined above, let us know, and we'd be happy to help you through the set up.
I've set up SSO in my workspace; what happens to my current users?
When SSO is enabled in your workspace, we automatically disable all username/password users. Any user who signs into your account after SSO is enabled is forced to authenticate through your IdP. You do not need to delete and reinvite users.
If I have SSO enabled in my workspace, do I still need to invite users to our account?
No, you do not. We support Just-in-Time provisioning (JIT) so any users who have a domain matching your SSO settings (i.e. @montecarlodata.com) will be automatically associated with your account. They simply need to put their email into the SSO login box on our login page: getmontecarlo.com/signin, and we will verify their access with your IdP and approve/deny access from there. We will default to the "Viewer" role for these users.
Wish we could support IdP-initiated log in flow? Click on the Intercom chat bot in your workspace and let us know!
We are building an out-of-the box Okta Monte Carlo app! That way, you no longer have to input the Monte Carlo SSO connection details into your IdP custom application. Just click on our preconfigured app, give Monte Carlo the IdP metadata link, and you will be ready to go! Let us know any feedback, or if there are any other IdPs you wish we supported out-of-the-box using the Intercom chat bot in your workspace.
Updated about 1 month ago