Single Sign On (SSO)

Monte Carlo supports Single Sign On (SSO) authentication via SAML 2.0. When you set up SSO on Monte Carlo, all users on your domain will be required to sign in using your Identity Provider (IdP).

Configuring your Identity Provider

In your Identity Provider, add Monte Carlo as a new site for SSO authentication. Depending on your provider, you will need the following information:

Supports Service Provider-initiated SSO: Yes
Supports Identity Provider-initiated SSO: No
Entity ID (Audience): urn:amazon:cognito:sp:us-east-1_OQBptzZme
ACS endpoint URL / Single SignOn URL / Recipient URL:
NameID Format: unspecified
Required metadata attributes: Note that the name of the attribute must be the URL in the first column.

Name ID / Claim NameOktaAWS SSOOneLoginAzure AD${user:email}Emailuser.mail${user:givenName}First Nameuser.givenname${user:familyName}Last Nameuser.surname

In Okta, this should look like below.


OneLogin: Use the "SAML Custom Connector (Advanced)" to create the application. During setup, make sure to set SAML Initiator to Service Provider and SAML nameID format to Unspecified. In the attribute mapping section, leave NameID value as Email . Also, do not forget to check the Include in SAML assertion box for each of the metadata attributes (email, first name, last name).

Azure AD: Make sure to check the Entity ID referencing Monte Carlo as the default. In the Use Attributes & Claims section, as Unique User Identifier (Name ID) use user.mail and set the name identifier format to Unspecified.

AWS SSO: In the attribute mappings section, set the mandatory Subject to ${user:email}.

Google SSO: You will need to create a custom SAML app through the Google Admin page. The Name ID will be 'Basic Information > Primary Email' and the Name ID format will be 'UNSPECIFIED'. For attribute mapping you will need to map the default Google Basic Information fields Primary email, First name and Last name to the URLs that are shared in the table above under 'Name ID / Claim Name'. It should look like this:


Configuring Monte Carlo to require SSO

After configuring Monte Carlo as a new SSO site in your Identify Provider, you will need to complete your Single Sign On configuration by logging into Monte Carlo and clicking over to the Settings tab.

Within Settings, click on Single Sign On to configure the following:

Domains or Account IdentifiersA list of domains or account identifiers belonging to your organization that the SAML Identity Provider represents. An account identifier is any arbitrary string, for example, your Monte Carlo account name. Users will be redirected to the Identity Provider based on their email domain or account identifier, and will be allowed access to your Monte Carlo account after successful SSO authentication. Example: (domain) OR acme (account identifier).
MetadataYou will need to define your Identity Provider in one of the following manners.

Metadata URL:
Your Identity Provider may offer a metadata URL once Monte Carlo is configured as a site. Monte Carlo will be able to use the URL to configure the provider on its end.

Metadata XML:
If your provider offers a metadata file, you may copy the contents of the file on Monte Carlo’s UI to complete your setup.


I've configured my SSO, but when users click on the Monte Carlo app in our IdP, they are seeing an error. What's wrong?
We currently only support Service Provider-initiated SSO. That means that the log in flow has to start from our platform:

Do you support any other IdPs?
We work with any IdP that supports SAML. We have outlined the set up information for the major IdPs, but if you have an IdP not outlined above, let us know, and we'd be happy to help you through the set up.

I've set up SSO in my workspace; what happens to my current users?
When SSO is enabled in your workspace, we automatically disable all username/password users once you have successfully used SSO to login to your account. Any user who signs into your account after SSO is validated is forced to authenticate through your IdP. You do not need to delete and reinvite users.

If I have SSO enabled in my workspace, do I still need to invite users to our account?
No, you do not. We support Just-in-Time provisioning (JIT) so any users who have a domain or other account identifier matching your SSO settings (i.e. will be automatically associated with your account. They simply need to put their email into the SSO login box on our login page:, and we will verify their access with your IdP and approve/deny access from there. We will default to the "Viewer" role for these users.

Can I map my Groups in SSO to Authorization Groups in Monte Carlo?
Yes! See more details here. By mapping Groups in SSO to Authorization Groups in Monte Carlo, you can streamline the onboarding of new users and save time.

How do I find the custom app metadata information in Okta?
To find the metadata information that you need to provide to Monte Carlo to enable SSO, follow this Okta help article. An example of a metadata URL would be: https://[okta_org_url][app_id]/sso/saml/metadata.


Feature Request?

Wish we could support IdP-initiated log in flow? Click on the Zendesk chat bot in your workspace and let us know!