Single Sign-On (SSO)

Plan Restriction

Not available on the Free plan (see Pricing).

Overview

Single sign-on can be used to increase both the convenience and security of using Cluvio in your organization:

1. Convenience: Users that already have an account on your organization's primary account management software (e.g. Google Workspace) do not need to explicitly create a Cluvio user account or contact an organization administrator to request an invitation. With SSO enabled for the user's email address in Cluvio, he or she can sign in to Cluvio with just the e-mail address or even open Cluvio from a list of available applications in your account management software. Whether the user can start using Cluvio immediately or needs to wait for admin approval depends on the SSO settings configured in Cluvio. See New Users below for further details.

2. Security: With SSO enabled, it is no longer possible for users with SSO email addresses to sign in to Cluvio with a password. They must authenticate using the SSO identity provider configured for the user's email domain. This allows you to enforce password and other account security policies in your primary account management software (e.g. Google Workspace), thus reducing the risk of weak passwords or missing two-factor authentication on your Cluvio user accounts.

   Note that in order to immediately revoke Cluvio access of an SSO user, the user must be disabled in Cluvio - see Decomissioning Users.

   When SSO is enabled for a Cluvio user with two-factor authentication set up, Cluvio login will prompt for two-factor verification after successful SSO authentication.

You configure single sign-on in the organization admin settings. The following sections describe the main concepts behind SSO in Cluvio and contain links to detailed setup instructions for each supported identity provider.

Setup SSO

Configuring single sign-on for your organization is a straightforward process that can be completed without impacting existing users or disrupting their current sessions. Until the SSO setup is fully configured and verified — by an admin successfully logging in via SSO — your users will continue logging in as usual, with no changes to their experience. Even after the transition to SSO, the only difference for existing users will be a simplified login flow, making access even more seamless and secure.

Cluvio single sign-on is based on SAML 2.0 and available for the following identity providers. Select an identity provider for detailed setup instructions:

• Google Workspace
• Microsoft Entra ID
• Okta

Verification

The final step of every SSO setup is verification, which triggers an SSO login flow for the admin user in a popup window. Verification must be completed to ensure the configuration on both Cluvio and the identity provider is functional before the SSO configuration is enabled.

A single Cluvio organization can use multiple identity providers for different e-mail domains.

Additional Identity Providers

Your organization's favorite identity provider for single sign-on is not yet supported by Cluvio? Contact support@cluvio.com to tell us about your needs. We are always happy to receive feedback and feature requests.

E-mail Domains

A Cluvio SSO configuration for an identity provider uses one or more e-mail domains. The domains determine to which users in your organization the configuration applies: If the user's email address belongs to a domain of an SSO configuration, the user is required to authenticate with the configuration's identity provider in order to use Cluvio.

Available Domains

By default, you can only configure SSO for domains for which there exists a Cluvio admin user. Contact support@cluvio.com with your requirements if you need additional domains available for SSO without having a dedicated Cluvio admin account for these domains.

The domains used across all SSO configurations in a Cluvio organization are mutually exclusive. That is, a particular domain can only be used on a single SSO configuration. Thus, for a particular user, at most one SSO configuration applies on login, according to the user's email address.

Furthermore, by default e-mail domains are not uniquely assigned to a Cluvio organization, meaning there can be more than one Cluvio organization with the same SSO e-mail domains. If a domain is not uniquely assigned to a Cluvio organization, users with SSO email addresses are not able to sign in to Cluvio for the first time via SSO by using the Cluvio login page. They can, however, directly open Cluvio from the identity provider. See New Users.

Uniquely Assigned Domains

If you would like an e-mail domain to be uniquely assigned to your Cluvio organization, please contact support@cluvio.com with the details of your request.

New Users

When you configure SSO in Cluvio, user accounts on the SSO identity provider that are granted access to the Cluvio app can open Cluvio directly from the identity provider (e.g. via Google Workspace Apps).

Furthermore, if the SSO e-mail domain is uniquely assigned to your Cluvio organization, users with e-mail addresses in this domain can sign into Cluvio directly on the Cluvio login page, without having to be invited.

In both cases, the first time a user opens Cluvio, one of the following happens, depending on the settings of your SSO configuration in Cluvio:

• Send approval request: This is the default setting. When a new SSO user opens Cluvio, the organization admins receive an e-mail notification with a link for reviewing the Cluvio access request. You can customize the email addresses to which the request is sent, but in any case a logged-in user with an admin role is required to approve the request.

  

• Auto-Join as viewer: When a new SSO user opens Cluvio, a user account is created immediately and the user is automatically logged in to Cluvio.

  

The following sections describe the different flows in more detail.

Approval Request

When a new user logs in to Cluvio via SSO or opens Cluvio from the identity provider the following page is displayed:

An e-mail is sent either to all admins in your Cluvio organization or to the configured e-mail addresses on the SSO config. The e-mail looks as follows:

When an admin in your Cluvio organization clicks on Review Request, the Cluvio admin section is opened and a dialog is shown for reviewing the request:

The admin reviewing the request can choose a role and assign user groups before creating the user. Creating the user results in an e-mail to be sent to the user's email address, informing about the approval of the access request:

The link to Open Cluvio opens Cluvio in a web browser and automatically performs an SSO login for the user.

Auto-Join

Plan Restriction

Available starting on the Business plan (see Pricing).

With auto-join configured, a new Cluvio user account is automatically created in your organization when a new user successfully logs-in to Cluvio via SSO for the first time. The user will always initially have the role Viewer and will be assigned the user groups configured in your SSO configuration.

This is the most convenient configuration for larger organizations, where you control access to Cluvio for your users entirely on your identity provider. If a new user is intended to be a Cluvio analyst or admin, an existing Cluvio admin is needed to update the user's role.

Decomissioning Users

When you decommission or disable a user account on your identity provider, or you revoke access to Cluvio for a user, existing Cluvio sessions of the user remain active until they expire, which can take up to 30 days. In order to revoke Cluvio access immediately, you must deactivate the user in the Cluvio user administration. Deactivating a user in Cluvio immediately terminates all of the user's active login sessions.

Edit SSO

To edit an existing SSO configuration, open the drop-down menu next to the SSO configuration in the SSO organization admin section.

Settings

In the SSO settings you configure the e-mail domains as well as the strategy for handling new users.

Reconfigure

If you need to inspect or edit the SAML metadata used by an existing SSO configuration, e.g. to update certificates, select Reconfigure in the drop-down menu. See the provider-specific details on reconfiguration:

• Reconfigure Google Workspace SSO
• Reconfigure Microsoft Entra ID SSO
• Reconfigure Okta SSO

Delete

To delete an SSO configuration, select Delete in the configuration's drop-down menu. For additional security, deletion of an SSO configuration requires confirmation and re-authentication of your current Cluvio session:

• If your Cluvio user account uses an SSO email address, you will be prompted to confirm deletion. When confirmed a popup opens that performs verification with the identity provider responsible for your Cluvio user account. If your session with the identity provider expired you may be prompted to re-authenticate. When successful, the popup closes automatically and the SSO config is deleted.

• Otherwise you are prompted to confirm deletion with your Cluvio password.

When an SSO config is deleted, Cluvio users with SSO email addresses previously handled by the deleted configuration must use a password to login when the existing Cluvio session expires. If such a Cluvio user does not have a password because the user account did not exist before the deleted SSO configuration was initially set up must perform Account Recovery.