Single Sign-On (SSO)

Enterprise

Configure Single Sign-On to enable secure, centralized authentication for your Containment.AI organization.

Overview

SSO provides:

• Centralized authentication through your IdP
• Enforce corporate password policies
• Automatic session management
• Simplified user experience

Supported Protocols

SAML 2.0

Standard enterprise federation protocol:

• Okta
• Azure AD / Entra ID
• OneLogin
• Ping Identity
• Google Workspace
• JumpCloud
• Other SAML 2.0 IdPs

OIDC (OpenID Connect)

Modern authentication protocol:

• Okta
• Auth0
• Azure AD
• Google
• Keycloak

Setup Guide

Prerequisites

• Enterprise plan subscription
• IdP admin access
• Containment.AI admin (Owner role)

Step 1: Gather Information

From Containment.AI dashboard, collect:

• ACS URL: https://app.containment.ai/auth/saml/acs
• Entity ID: https://app.containment.ai/saml/{org-id}
• Metadata URL: Available in SSO settings

Step 2: Configure Your IdP

Okta

1. Go to Applications > Create App Integration
2. Select SAML 2.0
3. Configure:
   • App name: Containment.AI
   • Single sign on URL: {ACS URL}
   • Audience URI: {Entity ID}
   • Name ID format: EmailAddress
4. Assign users/groups
5. Download IdP metadata or note:
   • IdP SSO URL
   • IdP Entity ID
   • X.509 Certificate

Azure AD / Entra ID

1. Go to Enterprise Applications > New Application
2. Create Non-gallery application
3. Go to Single sign-on > SAML
4. Configure:
   • Identifier: {Entity ID}
   • Reply URL: {ACS URL}
   • Sign-on URL: https://app.containment.ai/login
5. Download Federation Metadata XML

OneLogin

1. Go to Applications > Add App
2. Search for SAML Custom Connector
3. Configure:
   • Consumer URL: {ACS URL}
   • Audience: {Entity ID}
4. Assign users
5. Note SSO and certificate details

Step 3: Configure Containment.AI

1. Go to Settings > Enterprise > SSO
2. Click Configure SSO
3. Choose SAML or OIDC
4. Enter IdP information:

For SAML:

• IdP SSO URL
• IdP Entity ID
• Certificate (paste X.509 cert)

For OIDC:

• Issuer URL
• Client ID
• Client Secret

5. Click Test Configuration
6. Complete test sign-in
7. Enable SSO

SSO Settings

Enforcement Options

Setting	Description
Optional	Users can use SSO or email/password
Required	SSO only, no email/password
Required + JIT	SSO required, auto-create users

Just-In-Time (JIT) Provisioning

Automatically create users on first SSO login:

• User signs in via IdP
• Account created in Containment.AI
• Default permissions applied

note

For full user lifecycle management, use SCIM instead of JIT.

Domain Verification

Required for SSO enforcement:

1. Verify your email domain
2. SSO enforces for that domain only
3. Multiple domains supported

Attribute Mapping

Map IdP attributes to Containment.AI fields:

IdP Attribute	Containment.AI Field
email	Email address
firstName	First name
lastName	Last name
groups	Team membership
department	Department

Custom Attributes

Map additional attributes:

Custom Mappings:
  - Source: employeeType
    Target: role
    Mapping:
      "Manager": "admin"
      "Employee": "viewer"

Group Mapping

Sync IdP groups to Containment.AI teams:

1. Enable group sync in SSO settings
2. Map IdP groups to teams:

   Group Mappings:
     - IdP Group: "Engineering"
       Team: "engineering"
     - IdP Group: "Security Team"
       Team: "security"

3. Users inherit team membership from IdP

Testing SSO

Before Enabling

1. Click Test Configuration
2. Sign in via your IdP
3. Verify user attributes mapped correctly
4. Check group membership (if configured)

Test Mode

Enable SSO in test mode:

• SSO available but not enforced
• Test with specific users
• Verify everything works
• Then enforce for all

Troubleshooting

Authentication Failed

1. Check certificates

   • Verify certificate is current
   • Re-download and re-upload
   • Ensure proper format (PEM)

2. Check URLs

   • ACS URL exactly matches
   • Entity ID exactly matches
   • No trailing slashes

3. Check attributes

   • Email attribute is mapped
   • Name ID format is EmailAddress
   • User exists in IdP

User Not Provisioned

1. Check JIT settings

   • JIT enabled?
   • Required attributes present?
   • Domain verified?

2. Check IdP assignment

   • User assigned to app in IdP?
   • Groups assigned?

Certificate Errors

1. Verify certificate format
2. Check certificate expiration
3. Re-download from IdP
4. Remove any whitespace

Best Practices

Security

• Enable SSO enforcement
• Use SCIM for user lifecycle
• Require MFA in IdP
• Rotate certificates before expiry

Rollout

• Test with pilot group first
• Document configuration
• Communicate to users
• Have backup access method

Maintenance

• Monitor certificate expiration
• Keep IdP integration updated
• Review access periodically
• Test after IdP changes

Related Topics

• SCIM Provisioning - User automation
• Admin Management - User management
• Enterprise Plan - Plan features