Skip to main content

Overview

Single Sign-On (SSO) via SAML 2.0 allows your organization to manage user authentication through your existing Identity Provider (IdP), such as Okta, Azure AD, Google Workspace, or OneLogin. This centralizes user access control, improves security, and streamlines the login experience. Once configured, users can sign in to Elementum using their organization credentials, and you can enforce SSO-only authentication to ensure all access goes through your IdP.

Prerequisites

Before configuring SAML SSO, ensure you have:
  • Elementum permissions: Organization Admin access
  • IdP access: Administrator access to your Identity Provider (Okta, Azure AD, Google Workspace, OneLogin, etc.)
  • IdP configuration details:
    • SSO URL from your IdP
    • Issuer/Entity ID from your IdP
    • X.509 signing certificate from your IdP
  • User attributes: Ensure your IdP sends firstName and lastName attributes in SAML assertions (and optionally jobTitle for job title syncing)
Elementum provides Service Provider (SP) metadata URLs that your IdP will need. These are displayed in the configuration interface and include the Assertion Consumer Service (ACS) URL and Audience URI.

Configuration Steps

Step 1: Navigate to SSO Settings

  1. Log into Elementum as an Organization Admin
  2. Navigate to Organization Settings
  3. Select the Single Sign-On tab
  4. Locate the SAML Configuration section

Step 2: Gather Elementum SP Metadata

Before configuring your IdP, you’ll need the Service Provider information from Elementum:
  1. Copy the Assertion Consumer Service URL
    • Example: https://se.elementum.io/api/v1/saml/callback
    • This is where your IdP will send SAML responses
  2. Copy the Audience URI (SP Entity ID)
    • Example: https://se.elementum.io/api/v1/saml/metadata
    • This uniquely identifies your Elementum instance to your IdP
Keep these URLs handy - you’ll need to enter them into your Identity Provider configuration in the next step.

Step 3: Configure Your Identity Provider

Configure a new SAML application in your Identity Provider. While specific steps vary by provider, you’ll typically need to:
  • Okta
  • Azure AD / Entra ID
  • Google Workspace
  • OneLogin
  • JumpCloud
  1. In Okta Admin Console, go to ApplicationsCreate App Integration
  2. Select SAML 2.0 and click Next
  3. Enter application name (e.g., “Elementum”)
  4. Configure SAML settings:
    • Single sign on URL: Paste your Elementum ACS URL
    • Audience URI: Paste your Elementum Audience URI
    • Name ID format: EmailAddress
    • Application username: Email
  5. Add attribute statements:
    • firstNameuser.firstName
    • lastNameuser.lastName
    • jobTitleuser.title (optional)
  6. Click Next and complete setup
  7. Navigate to Sign On tab and click View SAML setup instructions
  8. Copy the Identity Provider Single Sign-On URL, Identity Provider Issuer, and download the X.509 Certificate
The exact field names and navigation may vary depending on your IdP version. Consult your IdP’s documentation if you need specific guidance.

Step 4: Configure SAML in Elementum

Return to Elementum’s SSO configuration page and enter the information from your Identity Provider:
  1. Enable SAML Authentication
    • Toggle the Enable switch to activate SAML
  2. Identity Provider SSO URL
    • Paste the SSO/Login URL from your IdP
    • This is where Elementum redirects users for authentication
  3. Identity Provider Issuer
    • Paste the Issuer/Entity ID from your IdP
    • This identifies your IdP in SAML exchanges
  4. Identity Connection
    • Select Email from the dropdown
    • This maps IdP users to Elementum users via email address
  5. Identity Provider X.509 Certificate
    • Paste the complete X.509 certificate from your IdP
    • Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers
    • Remove any extra whitespace or line breaks that may cause issues
  6. Configure Inactive User Logout (optional but recommended)
    • Desktop Users: Set hours of inactivity before automatic logout (default: 24 hours)
    • Mobile Users: Set days of inactivity before automatic logout (default: 30 days)
  7. Auto Create Unknown Users (optional)
    • Enable this toggle if you want Elementum to automatically create user accounts when someone authenticates via SSO for the first time
    • Requires firstName and lastName attributes in the SAML assertion
    • If enabled and jobTitle is provided, the user’s job title will also sync
  8. Click Save to apply the configuration
Do not enable “Enforce SSO-only authentication” yet. Test SSO thoroughly first to ensure it works correctly before enforcing it organization-wide.

Configuration Notes

Critical Attribute Mapping Requirements:
  • Case Sensitivity: Attribute names are case-sensitive. Ensure they match exactly (e.g., jobTitle vs JobTitle will cause issues)
  • Required Fields: firstName, lastName, and email claims are mandatory for automatic provisioning of new users when Auto Create Unknown Users is enabled
  • External Identifiers: If you select “External Identifier” in Elementum for the “Identity Connection” field, then a claim named externalId is also required in the SAML assertion
  • Job Title: The jobTitle attribute is optional but highly recommended for complete user profiles
  • NameSpace Values: For Azure AD/Entra ID users, ensure you remove the NameSpace values from Additional Claims or the integration will fail

Step 5: Test SSO Authentication

Before enforcing SSO, verify it works correctly:
  1. Open an incognito/private browser window
    • This ensures you’re testing a fresh login flow
  2. Navigate to your Elementum login page
    • You should now see a Sign in with SSO button
  3. Click “Sign in with SSO”
    • You’ll be redirected to your IdP’s login page
  4. Log in with your organization credentials
    • Enter your IdP username and password
  5. Verify successful authentication
    • You should be redirected back to Elementum and logged in
    • Confirm your user profile shows correct information (name, email, job title if configured)
  6. Test with multiple users
    • Have several team members test the SSO flow
    • Verify different user roles authenticate correctly
If you enabled Auto Create Unknown Users:
  1. Have a user who doesn’t yet exist in Elementum attempt to log in via SSO
  2. Verify they can successfully authenticate
  3. Check that their user account was automatically created
  4. Confirm their profile contains:
    • Email address (from SAML NameID)
    • First and last name (from SAML attributes)
    • Job title (if configured in SAML attributes)
  5. Assign appropriate roles and permissions to the new user
Auto-created users will have minimal default permissions. Ensure you have a process to assign proper roles after their first login.
The Identity Connection setting determines how Elementum matches IdP users to existing accounts:
  • Email: Matches users based on email address (recommended)
  • This means the email in your IdP must match the email in Elementum
To verify:
  1. Check that the SAML NameID or email attribute matches existing Elementum user emails
  2. Test login with users who have accounts
  3. Verify they log into their existing accounts (not new ones)

Step 6: Enforce SSO-Only Authentication (Optional)

Once you’ve thoroughly tested SSO and confirmed it works for all users:
  1. Return to Organization SettingsSingle Sign-On
  2. Enable the Enforce SSO-only authentication toggle
  3. Click Save
Critical: Once enabled, users will only be able to log in via SSO. Standard username/password authentication will be disabled. Ensure all users can access SSO before enforcing this setting.
Even with SSO enforcement enabled, Organization Admins can access a backup login method in case of IdP issues. Contact Elementum support for emergency access procedures.

Local Password Policy

For users who are not on SSO or before SSO is enforced organization-wide, Elementum enforces the following local password requirements:

Password Requirements:
  • Minimum Length: 12 characters
  • Complexity Requirements (must contain at least one of each):
    • One lowercase character (a-z)
    • One uppercase character (A-Z)
    • One number (0-9)
    • One symbol (e.g., !@#$%^&*()_+-=[]{}|;:'",.<>?)
  • Restrictions:
    • May not contain the user’s name
    • May not contain the user’s email address
Once SSO is enforced, these local password requirements no longer apply as all authentication goes through your Identity Provider.

User Experience

End User Login Experience

The login experience varies depending on your SSO configuration:
  • SSO Enabled (Not Enforced)
  • SSO Enforced
What users see:The login page displays a split interface giving users two options:
  1. Top Section: “Log In With Email”
    • Traditional username/password login
    • Available for users with local accounts
    • Subject to local password policy requirements
  2. Bottom Section: “Log In With Single Sign On”
    • Clickable button that redirects to your IdP
    • Users authenticate using their organization credentials
    • Recommended for all organization users
Use case: This configuration is ideal during the SSO testing and migration period, allowing users to choose their authentication method while you verify SSO works correctly.

Session Management

  • Desktop sessions: Expire after configured hours of inactivity (default: 24 hours)
  • Mobile sessions: Expire after configured days of inactivity (default: 30 days)
  • IdP session: If users are already logged into your IdP, they may experience automatic single sign-on without re-entering credentials
  • Session timeout: Applies regardless of SSO enforcement setting

Security Best Practices

Recommended Security Configuration

  • ✅ Enable SSO enforcement after successful testing
  • ✅ Configure automatic logout for inactive sessions
  • ✅ Regularly rotate your X.509 certificates
  • ✅ Enable Multi-Factor Authentication (MFA) in your IdP
  • ✅ Use Auto Create Unknown Users only if you have proper onboarding processes
  • ✅ Regularly audit user access in both your IdP and Elementum
  • ✅ Monitor failed SSO authentication attempts
  • ✅ Document your SSO configuration for your IT team

Certificate Management

  • Validity: X.509 certificates typically expire after 1-3 years
  • Rotation: When your IdP issues a new certificate:
    1. Download the new certificate from your IdP
    2. Update it in Elementum SSO settings before the old one expires
    3. Test authentication to confirm the update worked
  • Monitoring: Set calendar reminders to check certificate expiration

User Provisioning

  • With Auto Create Enabled
  • Without Auto Create
Pros:
  • New users can access Elementum immediately
  • No manual account creation required
  • Scales easily for large organizations
Cons:
  • Users created with default minimal permissions
  • Requires post-login role assignment process
  • May create accounts for users who shouldn’t have access
Best for: Organizations with automated onboarding workflows and clear role assignment processes

Troubleshooting

Common Issues

Cause: SAML may not be enabled or configuration hasn’t been savedSolution:
  1. Verify the Enable toggle is turned on
  2. Ensure you clicked Save after configuration
  3. Try clearing your browser cache
  4. Try a different browser or incognito mode
Cause: Incorrect IdP configuration or user not assigned to the applicationSolution:
  1. Verify the user is assigned to the Elementum app in your IdP
  2. Check that the IdP application is active/enabled
  3. Confirm the SSO URL and Issuer are correct in Elementum
  4. Verify required attributes (firstName, lastName) are configured in your IdP
Cause: Certificate mismatch, incorrect ACS URL, or missing required attributesSolution:
  1. Verify the X.509 certificate is correctly copied (including headers)
  2. Confirm the ACS URL in your IdP matches exactly what Elementum provided
  3. Check that your IdP sends required SAML attributes (firstName, lastName)
  4. Review browser developer console and network tab for specific error messages
  5. Contact Elementum support with error details
Cause: Email mismatch between IdP and Elementum, or Identity Connection misconfiguredSolution:
  1. Verify Identity Connection is set to Email
  2. Confirm user emails in Elementum match emails in your IdP exactly
  3. Check that IdP sends email in SAML NameID or as an attribute
  4. Temporarily disable SSO enforcement to allow testing
Cause: Auto Create Unknown Users is disabled, or required attributes are missingSolution:
  1. Verify Auto Create Unknown Users toggle is enabled
  2. Confirm your IdP sends firstName and lastName attributes in SAML assertions
  3. Check attribute name spelling matches exactly (case-sensitive)
  4. Review IdP logs to see what attributes are being sent
Cause: Malformed certificate, expired certificate, or whitespace issuesSolution:
  1. Verify certificate includes begin/end markers: 
    -----BEGIN CERTIFICATE-----
[certificate content]
-----END CERTIFICATE-----
  2. Remove any extra spaces or line breaks
  3. Check certificate hasn’t expired in your IdP
  4. Download a fresh certificate from your IdP
  5. Use a text editor (not Word) to copy/paste the certificate
Cause: SAML claims from IdP are overwriting Elementum user dataSolution:
  • Claims sent by the IdP take precedence and will overwrite user-defined parameters in Elementum (such as Name, Last Name, and Job Title)
  • Update the values in your IdP user profiles instead of in Elementum
  • Verify the correct attributes are being mapped in your IdP configuration
  • Check IdP logs to confirm what values are being sent
Cause: Configuration mismatch between IdP and ElementumSolution: Check these three common issues:
  1. URL Configuration: Ensure the ACS URL and Entity ID are not inverted or swapped
  2. Unique Identifier: Verify the unique identifier (Name ID) is set to the user’s email address
  3. Required Claims: Ensure all required claims (firstName, lastName, email) are being sent and properly formatted
  4. Clear browser cookies and try in an incognito window
  5. Check browser developer console for specific error messages
Cause: Missing or incorrectly named jobTitle attributeSolution:
  1. Verify the jobTitle attribute is configured in your IdP
  2. Check that the attribute name is exactly jobTitle (case-sensitive)
  3. Common mistake: Sending JobTitle instead of jobTitle
  4. Verify the IdP user profile contains job title data to send
  5. Test with a user who has a job title populated in the IdP

Getting Help

If you continue experiencing issues:
  1. Gather diagnostic information:
    • Browser console errors
    • Network tab showing SAML request/response
    • IdP logs (if available)
    • Exact error messages
  2. Contact Elementum support with:
    • Your organization name
    • Identity Provider being used
    • Steps to reproduce the issue
    • Diagnostic information collected above

Advanced Configuration

Attribute Mapping

Elementum supports these SAML attributes:
AttributeRequiredPurposeExample Value
email or NameIDYesUser identification and matching[email protected]
firstNameYes*User’s first nameJohn
lastNameYes*User’s last nameDoe
jobTitleNoUser’s job titleSoftware Engineer
*Required only when Auto Create Unknown Users is enabled

IdP-Initiated vs SP-Initiated Login

SP-Initiated (default):
  • User starts at Elementum login page
  • Clicks “Sign in with SSO”
  • Redirected to IdP for authentication
IdP-Initiated:
  • User starts at IdP dashboard
  • Clicks Elementum app tile
  • Directly authenticated into Elementum
Both flows are supported. IdP-initiated login requires no additional configuration beyond the standard setup.

Summary

You’ve successfully configured SAML 2.0 SSO for Elementum:
  1. Gathered SP metadata from Elementum (ACS URL and Audience URI)
  2. Configured your IdP with Elementum as a SAML application
  3. Entered IdP details into Elementum (SSO URL, Issuer, Certificate)
  4. Tested SSO authentication with multiple users
  5. Optionally enforced SSO-only authentication
  6. Configured session management and user provisioning options
Your organization now benefits from:
  • ✅ Centralized authentication through your Identity Provider
  • ✅ Improved security with MFA support
  • ✅ Simplified user onboarding (with Auto Create enabled)
  • ✅ Consistent access control across applications
  • ✅ Automatic session timeout for inactive users
For ongoing management, remember to:
  • Monitor certificate expiration dates
  • Audit user access regularly
  • Keep IdP user assignments up to date
  • Test SSO after any IdP configuration changes