Skip to content
Karolina
Esc
navigateopen⌘Jpreview
On this page

SSO/SAML

SSO/SAML

Configure Single Sign-On for your organization.

Overview

SSO allows users to authenticate using your identity provider instead of passwords.

Supported Providers

Provider Protocol Setup Complexity
Okta SAML 2.0, OIDC Easy
Azure AD SAML 2.0, OIDC Easy
Google Workspace OIDC Very Easy
OneLogin SAML 2.0 Medium
Generic SAML SAML 2.0 Variable

Setting Up SSO

Prerequisites

  • Admin access in Karolina
  • Admin access in your IdP
  • SSL certificate for callback URL

Step 1: Configure in Karolina

  1. Go to SettingsSecuritySSO
  2. Click Configure SSO
  3. Select provider type
  4. Copy Service Provider details

Step 2: Configure in IdP

Create application/connection:

Setting Value
Entity ID https://karolina.ai/saml/{org-id}
ACS URL https://karolina.ai/api/auth/saml/callback
SLO URL https://karolina.ai/api/auth/saml/slo

Step 3: Configure Attributes

Map SAML attributes:

SAML Attribute Maps To
email Email address
firstName First name
lastName Last name
groups Role/group mapping

Step 4: Test Connection

  1. Click Test Connection
  2. Redirects to IdP
  3. Authenticate
  4. Returns to Karolina
  5. Verify success

Step 5: Enable SSO

  1. Review configuration
  2. Click Enable SSO
  3. Users now authenticate via SSO

SAML Configuration

Manual SAML Setup

For custom implementations:

<EntityDescriptor entityID="https://karolina.ai">
  <SPSSODescriptor>
    <AssertionConsumerService 
      URL="https://karolina.ai/api/auth/saml/callback"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
  </SPSSODescriptor>
</EntityDescriptor>

Attribute Mapping

Attribute Required Description
email Yes User email (unique identifier)
firstName Yes First name
lastName Yes Last name
groups No Group memberships
department No Department

Group Mapping

Map IdP groups to Karolina roles:

IdP Group Karolina Role
CS-Admins Admin
CS-Managers Manager
CS-Team CSM
CS-Viewers Viewer

OIDC Configuration

For Google Workspace

  1. Create OAuth 2.0 client in Google Cloud
  2. Add authorized redirect URI
  3. Copy Client ID and Secret
  4. Enter in Karolina

For Azure AD

  1. Register application in Azure
  2. Configure API permissions
  3. Copy Client ID and Secret
  4. Enter in Karolina

SSO Behavior

User Login Flow

  1. User visits Karolina
  2. Redirected to SSO login
  3. User authenticates with IdP
  4. IdP redirects back to Karolina
  5. User logged in

JIT Provisioning

Auto-create users on first SSO login:

  1. Enable Just-In-Time Provisioning
  2. First login creates Karolina account
  3. User assigned default role
  4. Admin can adjust role

Just-In-Time Options

Option Behavior
Auto-create Create new users automatically
Require pre-creation Admin must create first
Match by email Match to existing user

SSO Settings

Enforcement

Setting Description
Optional SSO Users choose login method
Required SSO Only SSO login allowed
Password allowed Backup for SSO issues

Session Settings

Setting Default Description
Session Duration 8 hours How long before re-auth
Idle Timeout 30 min Inactivity logout

Troubleshooting

Issue Solution
Redirect loop Check callback URL
User not found Check JIT provisioning
Group not mapping Verify group names
Cert error Update IdP certificate
Slow login Check IdP performance

Security

Certificate Rotation

Rotate signing certificates:

  1. Add new certificate in IdP
  2. Add new certificate in Karolina
  3. Test with new cert
  4. Remove old certificate

Audit Logs

Track SSO events:

  • Login attempts
  • Failures
  • New user creation
  • Role changes

Last updated on July 14, 2026

Was this page helpful?