Guides
HomeChangelogStatus PageAPI ExplorerAPI ReferenceCLI ReferenceBlogRequest a Demo

FAQs and Troubleshooting

Suggest Edits

FAQs

Do you support any other IdPs?

We work with any IdP that supports SAML. We have outlined the set up information for the major IdPs, but if you have an IdP not outlined above, let us know, and we'd be happy to help you through the set up.

I've set up SSO in my workspace; what happens to my current users?

When SSO is enabled in your workspace, we automatically disable all username/password users once you have successfully used SSO to login to your account. Any user who signs into your account after SSO is validated is forced to authenticate through your IdP. You do not need to delete and reinvite users.

In other words, when SSO is enabled, access to Monte Carlo becomes entirely dependent who has been granted access in the IdP. Users who previously had access through a username/password but are not granted access through the IdP will be locked out.

If I have SSO enabled in my workspace, do I still need to invite users to our account? Does Monte Carlo support JIT (Just-in-Time provisioning)?

No, you do not. We support Just-in-Time provisioning (JIT) so any users who have a domain or other account identifier matching your SSO settings (i.e. @montecarlodata.com) will be automatically associated with your account. They simply need to put their email into the SSO login box on our login page: getmontecarlo.com/signin, and we will verify their access with your IdP and approve/deny access from there. We will default to the "Viewer" role for these users.

Can I map my Groups in SSO to Authorization Groups in Monte Carlo?

Yes! See more details here. By mapping Groups in SSO to Authorization Groups in Monte Carlo, you can streamline the onboarding of new users and save time.

How do I find the custom app metadata information in Okta?

To find the metadata information that you need to provide to Monte Carlo to enable SSO, follow this Okta help article. An example of a metadata URL would be: https://[okta_org_url].okta.com/app/[app_id]/sso/saml/metadata.

Can I set up multiple Monte Carlo accounts with SSO?

This depends on your identity provider. For Okta, SSO for multiple Monte Carlo accounts is supported. For Microsoft Entra ID and PingFederate, SSO for multiple Monte Carlo accounts is not directly supported.

In Microsoft Entra ID, each application is uniquely identified by its Entity ID within the tenant. This limitation prevents configuring multiple applications associated with the same Monte Carlo Entity ID in the same tenant. Note while the Microsoft documentation suggests appending # to the Entity ID for IDP-initiated SSO, this approach is incompatible with SP-initiated SSO which used by Monte Carlo.

If you need to configure multiple Monte Carlo accounts and your identity provider doesn’t allow defining multiple applications with the same entity ID, you can assign the same application to multiple Monte Carlo accounts. Then, you can leverage Authorization Groups mapped to SSO Groups in Monte Carlo to manage access for those accounts, and use None as Default Group in the SSO configuration.

Troubleshooting

I am seeing an error about invalid samlResponse or relayState; what's wrong?

If you are seeing the following error:

This is because you attempted to log into Monte Carlo by clicking on the tile in your IdP. Monte Carlo currently does not support IdP-initiated log in flows.

To avoid this error, you need to either:

  1. Start your log in flow from getmontecarlo.com/signin and provide your email. This will redirect you through your IdP, and back into Monte Carlo properly.
  2. You can create a bookmark in your IdP that will automatically authenticate users so they do not need to re-enter credentials. This way, you can start your log in flow without leaving your IdP.

Updated 23 days ago