Skip to main content
NEW: RSAC 2026 NHI Field Report. How Non-Human Identity became cybersecurity's central axis
Integrations//
Setup Guide

SAML Single Sign-On

Configure SAML 2.0 SSO for Cremit Argus. Works with Okta, Azure AD, Google Workspace, OneLogin, Ping, JumpCloud, and any SAML 2.0-compliant IdP. SP-initiated and IdP-initiated flows supported.

About this guide

This comprehensive guide will walk you through the complete setup process. Expected completion time: 5-10 minutes.

Overview

SAML Single Sign-On lets your users authenticate to Argus through your existing identity provider. Supports SP-initiated and IdP-initiated flows, SHA-256 signing, and per-email-domain routing so multiple IdPs can coexist in one Argus tenant.

Prerequisites

  • Argus Enterprise plan
  • Admin access to your IdP (Okta, Azure AD, Google Workspace, OneLogin, Ping, JumpCloud, or any SAML 2.0 IdP)
  • The IdP's metadata XML, or its Entity ID + SSO URL + signing certificate

Step-by-Step Setup

Step 1: Open Add SAML Provider in Argus

  • Argus > Enterprise > SSO > Add SAML Provider
  • Enter a unique Provider ID such as 'company-okta' or 'partner-google'
  • Argus generates the SP values: ACS URL (https://argus.cremit.io/api/auth/sso/saml2/callback/{provider-id}) and Entity ID (https://argus.cremit.io)

Step 2: Create the SAML app in your IdP

The SP values from Step 1 go into your IdP's configuration.

  • ACS URL / Reply URL: paste the value Argus generated
  • Entity ID / SP Entity ID: https://argus.cremit.io
  • NameID format: emailAddress
  • Signature algorithm: SHA-256
  • Optional attribute mapping: firstName, lastName, displayName (email comes from NameID)

Step 3: Return IdP metadata to Argus

  • Download IdP metadata XML from your IdP, or copy the IdP Entity ID, SSO URL, and x509 signing certificate
  • Back in Argus, either paste the metadata XML or fill in the IdP fields individually
  • Set the Email Domain that routes to this provider (for example, `company.com`)

Step 4: Test and enable

  • Click Test Login; Argus opens a new tab and runs through an SP-initiated SAML flow
  • Resolve any issues shown in the test result
  • Once the test succeeds, save the provider and flip it to Active

Verification

To confirm the integration is configured correctly:

  • Test Login completes with an Argus session
  • The expected email domain routes to the correct provider on the login page
  • SAML assertions are accepted with SHA-256 signatures and valid NotBefore/NotOnOrAfter times
  • Audit logs show SAML-Signed login events with the expected Subject

Troubleshooting

Issue: 'Invalid signature' on the Argus callback.

  • Solution: The x509 certificate in Argus does not match what the IdP signs with. Re-upload the current signing certificate from your IdP, especially after any IdP certificate rotation.

Issue: Test Login fails with 'Clock drift too large.'

  • Solution: Argus allows up to 2 minutes of clock skew on SAML assertions. Sync your IdP server time (NTP) or shorten the SessionNotOnOrAfter lifetime on the IdP side.

Key Benefits

  • Works with any SAML 2.0-compliant IdP; no vendor lock-in
  • Per-domain routing lets multiple IdPs coexist in one Argus tenant
  • SP-initiated and IdP-initiated flows both supported
  • Test Login catches configuration mistakes before end users see them
Ready to connect

Start securing your infrastructure

Connect this integration to Cremit and start protecting your machine identities in minutes

Quick Links

All IntegrationsAll Setup GuidesCremit Dashboard

Need help?

Our support team is here to assist you with the integration process.

By the numbers

5-10 min
Setup time
24/7
Monitoring
Real-time
Alerts