Single Sign-On (SSO)
All Tiers
Calabi supports Single Sign-On (SSO) for all tiers. Every Calabi deployment includes AWS Cognito as the default identity provider. Enterprise customers can additionally configure SAML 2.0 federation to external identity providers — Okta, Azure Active Directory, Google Workspace, and any SAML 2.0-compliant IdP — and automate user provisioning with SCIM.
Default Authentication: AWS Cognito
Every Calabi tenant is provisioned with a dedicated AWS Cognito User Pool. Out of the box, users authenticate with an email address and password managed by Cognito.
| Feature | Default Configuration |
|---|---|
| Password policy | Minimum 12 characters, 1 uppercase, 1 number, 1 special character |
| MFA | Optional (TOTP via authenticator app) |
| Email verification | Required for new accounts |
| Password reset | Self-service via email link |
| Session duration | 8 hours (configurable up to 24 hours) |
| Token type | JWT (ID token + Access token) |
How SSO Works
Enabling MFA for All Users
- Navigate to Admin → Security → Authentication.
- Under Multi-Factor Authentication, select Required for all users.
- Users are prompted to configure TOTP on next login.
SAML 2.0 Integration
Calabi supports SAML 2.0 Service Provider (SP)-initiated and Identity Provider (IdP)-initiated flows for federating with your corporate identity provider.
Supported Identity Providers
| Provider | Tested | Notes |
|---|---|---|
| Okta | Yes | Full SAML + SCIM support |
| Azure Active Directory / Entra ID | Yes | Full SAML + SCIM support |
| Google Workspace | Yes | SAML only (no SCIM) |
| OneLogin | Yes | Full SAML + SCIM support |
| PingFederate | Yes | SAML only |
| Jumpcloud | Yes | SAML + SCIM |
| Any SAML 2.0 IdP | Compatible | Standard SP metadata exchange |
SAML Attributes Required
Calabi's SAML SP requires the following attributes in the SAML assertion:
| Attribute | Format | Description |
|---|---|---|
email | urn:oasis:names:tc:SAML:1.1:attribute:EmailAddress | User's primary email (used as username) |
firstName | String | User's first name |
lastName | String | User's last name |
groups | Multi-value string | Group memberships for role mapping (optional but recommended) |
Calabi SP Metadata
Your IdP needs Calabi's Service Provider metadata. Retrieve it from:
https://<your-calabi-domain>/api/auth/saml/metadata
Or download the XML file from Admin → SSO → SP Metadata → Download.
Key SP values:
Entity ID: https://<your-calabi-domain>/api/auth/saml/metadata
ACS URL: https://<your-calabi-domain>/api/auth/saml/callback
SLO URL: https://<your-calabi-domain>/api/auth/saml/logout
Binding: HTTP-POST
Step-by-Step: Okta SAML Setup
Step 1: Create the Okta Application
- Log in to your Okta Admin Console.
- Navigate to Applications → Applications → Create App Integration.
- Select SAML 2.0 → Next.
- App name:
Calabi(or your internal name). - App logo: Upload the Calabi logo (optional).
- Click Next.
Step 2: Configure SAML Settings in Okta
| Field | Value |
|---|---|
| Single sign-on URL | https://<your-calabi-domain>/api/auth/saml/callback |
| Audience URI (SP Entity ID) | https://<your-calabi-domain>/api/auth/saml/metadata |
| Name ID format | EmailAddress |
| Application username | Email |
| Response | Signed |
| Assertion Signature | Signed |
| Signature Algorithm | RSA-SHA256 |
| Digest Algorithm | SHA256 |
| Assertion Encryption | Unencrypted (or Encrypted if your security policy requires it) |
Attribute Statements:
| Name | Name Format | Value |
|---|---|---|
email | Basic | user.email |
firstName | Basic | user.firstName |
lastName | Basic | user.lastName |
Group Attribute Statements (for role mapping):
| Name | Name Format | Filter |
|---|---|---|
groups | Basic | Matches regex: ^Calabi-.* |
- Click Next → Finish.
Step 3: Download the Okta IdP Metadata
- In the Okta app page, go to Sign On tab.
- Under SAML Signing Certificates, click Actions → View IdP Metadata.
- Copy the metadata XML URL (e.g.,
https://<your-okta-domain>/app/<app-id>/sso/saml/metadata).
Step 4: Configure SAML in Calabi
- Navigate to Admin → SSO → + Add SAML Provider.
- Fill in:
| Field | Value |
|---|---|
| Display Name | Okta |
| IdP Metadata URL | Paste the Okta metadata URL from Step 3 |
| Email Attribute | email |
| First Name Attribute | firstName |
| Last Name Attribute | lastName |
| Groups Attribute | groups |
| Default Role | Viewer (role assigned to new users if no group mapping matches) |
- Under Group Mappings, add:
| IdP Group | Calabi Role |
|---|---|
Calabi-Admins | Admin |
Calabi-Stewards | Data Steward |
Calabi-Analysts | Analyst |
Calabi-Viewers | Viewer |
- Click Save.
Step 5: Test the SAML Integration
- In Calabi Admin → SSO, click Test SAML Login next to your Okta provider.
- You are redirected to Okta's login page.
- Log in with a test Okta account that is assigned to the Calabi app.
- On success, you are redirected back to Calabi and logged in.
- Verify the user's role matches the expected group mapping.
Step 6: Set as Default Provider
- In Admin → SSO, click Set as Default next to the Okta provider.
- The Calabi login page now shows a "Sign in with Okta" button as the primary login option.
Azure Active Directory SAML Setup (Summary)
The steps for Azure AD (Entra ID) follow the same pattern with these Azure-specific values:
| Field | Azure AD Value |
|---|---|
| Identifier (Entity ID) | https://<your-calabi-domain>/api/auth/saml/metadata |
| Reply URL (ACS URL) | https://<your-calabi-domain>/api/auth/saml/callback |
| Sign on URL | https://<your-calabi-domain> |
| Name ID | user.mail |
Attribute mappings in Azure AD:
email → user.mail
firstName → user.givenname
lastName → user.surname
groups → user.groups (use Group IDs or display names)
Google Workspace SAML Setup (Summary)
| Field | Google Workspace Value |
|---|---|
| ACS URL | https://<your-calabi-domain>/api/auth/saml/callback |
| Entity ID | https://<your-calabi-domain>/api/auth/saml/metadata |
| Name ID | Basic Information → Primary Email |
| Name ID Format | EMAIL |
Google Workspace does not support SCIM. User provisioning must be done manually or via the Calabi API.
SCIM Provisioning
SCIM (System for Cross-domain Identity Management) automates user lifecycle management — creating, updating, and deprovisioning users in Calabi when you make changes in your IdP.
Supported IdPs for SCIM
- Okta
- Azure Active Directory / Entra ID
- OneLogin
- Jumpcloud
Configuring SCIM
- In Calabi, navigate to Admin → SSO → SCIM.
- Click Generate SCIM Token — copy and save the token.
- Note the SCIM Endpoint URL:
https://<your-calabi-domain>/api/scim/v2 - In your IdP, configure SCIM provisioning:
- SCIM connector base URL:
https://<your-calabi-domain>/api/scim/v2 - Authentication: Bearer Token
- Token: the token generated in step 2
- Supported operations: Push new users, Push profile updates, Push groups, Deactivate users
- SCIM connector base URL:
SCIM Operations
| SCIM Event | Calabi Action |
|---|---|
| User created in IdP and assigned to Calabi app | User created in Calabi with default role |
| User's group membership changes | User's Calabi role updated per group mapping |
| User deactivated in IdP | User account deactivated in Calabi (cannot log in; data preserved) |
| User deleted in IdP | User account deactivated in Calabi (not deleted to preserve audit trail) |
| Group renamed in IdP | Group mapping updated automatically |
Session Management
| Setting | Default | Configurable |
|---|---|---|
| Session lifetime | 8 hours | 1–24 hours (Admin → Security) |
| Idle timeout | 2 hours | 30 min–8 hours |
| Concurrent sessions | Unlimited | Can restrict to 1 per user |
| Session revocation | Supported | Admins can terminate any active session |
| Refresh tokens | 30 days | Configurable |
To terminate a user's active sessions:
- Admin → Users → select user.
- Click Revoke All Sessions.
- The user is logged out within 60 seconds on all devices.
SSO Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
| "SAML assertion invalid" | Clock skew between IdP and SP | Ensure both servers sync with NTP; Calabi allows ±5 minute skew |
| "Email attribute not found" | Attribute name mismatch | Verify the attribute name in Calabi matches exactly what the IdP sends |
| User role is "Viewer" after login | No group mapping matched | Check that the groups attribute is being sent and group names match mappings |
| Redirect loop on login | ACS URL misconfigured in IdP | Verify the ACS URL ends with /api/auth/saml/callback |
| "User already exists" on first SSO login | Email matches an existing local account | Admin can merge the accounts in Admin → Users → Merge Identity |
| SCIM users not created | Bearer token expired or incorrect | Regenerate the SCIM token and update the IdP SCIM configuration |
| "Invalid issuer" in SAML response | Entity ID mismatch | Verify Entity ID in IdP matches Calabi's SP metadata Entity ID exactly |
Related Pages
- Roles & Permissions — Role definitions and permission matrix
- Multi-Tenancy — How SSO is scoped per tenant
- Platform Monitoring — Audit logs for authentication events