Skip to main content
NEW: RSAC 2026 NHI Field Report. How Non-Human Identity became cybersecurity's central axis
Single Sign-OnEnterprise

SAML Single Sign-On

Authenticate users through your SAML 2.0 IdP (Okta, Azure AD, Google Workspace, Ping, etc.).

Key Features

  • SP-initiated and IdP-initiated flows
  • SHA-256 signature algorithm
  • NameID format: emailAddress
  • Per-email-domain provider routing (multi-IdP in one tenant)
  • Auto-provisioning on first login (optional)

Requirements

  • 1SAML 2.0-compliant IdP (Okta, Azure AD, Google Workspace, etc.)
  • 2IdP metadata XML or IdP Entity ID + SSO URL + signing certificate
  • 3Cremit Argus Enterprise plan
Setup Time15 min

Step-by-step setup guide

The exact flow you follow inside the dashboard.

Overview

SAML Single Sign-On lets your users authenticate to Argus through your existing identity provider. Supports SP-initiated and IdP-initiated flows, SHA-256 signing, and per-email-domain routing so multiple IdPs can coexist in one Argus tenant.

Prerequisites

  • Argus Enterprise plan
  • Admin access to your IdP (Okta, Azure AD, Google Workspace, OneLogin, Ping, JumpCloud, or any SAML 2.0 IdP)
  • The IdP's metadata XML, or its Entity ID + SSO URL + signing certificate

Step-by-Step Setup

Step 1: Open Add SAML Provider in Argus

  • Argus > Enterprise > SSO > Add SAML Provider
  • Enter a unique Provider ID such as 'company-okta' or 'partner-google'
  • Argus generates the SP values: ACS URL (https://argus.cremit.io/api/auth/sso/saml2/callback/{provider-id}) and Entity ID (https://argus.cremit.io)

Step 2: Create the SAML app in your IdP

The SP values from Step 1 go into your IdP's configuration.

  • ACS URL / Reply URL: paste the value Argus generated
  • Entity ID / SP Entity ID: https://argus.cremit.io
  • NameID format: emailAddress
  • Signature algorithm: SHA-256
  • Optional attribute mapping: firstName, lastName, displayName (email comes from NameID)

Step 3: Return IdP metadata to Argus

  • Download IdP metadata XML from your IdP, or copy the IdP Entity ID, SSO URL, and x509 signing certificate
  • Back in Argus, either paste the metadata XML or fill in the IdP fields individually
  • Set the Email Domain that routes to this provider (for example, `company.com`)

Step 4: Test and enable

  • Click Test Login; Argus opens a new tab and runs through an SP-initiated SAML flow
  • Resolve any issues shown in the test result
  • Once the test succeeds, save the provider and flip it to Active

Verification

To confirm the integration is configured correctly:

  • Test Login completes with an Argus session
  • The expected email domain routes to the correct provider on the login page
  • SAML assertions are accepted with SHA-256 signatures and valid NotBefore/NotOnOrAfter times
  • Audit logs show SAML-Signed login events with the expected Subject

Troubleshooting

Issue: 'Invalid signature' on the Argus callback.

  • Solution: The x509 certificate in Argus does not match what the IdP signs with. Re-upload the current signing certificate from your IdP, especially after any IdP certificate rotation.

Issue: Test Login fails with 'Clock drift too large.'

  • Solution: Argus allows up to 2 minutes of clock skew on SAML assertions. Sync your IdP server time (NTP) or shorten the SessionNotOnOrAfter lifetime on the IdP side.

Key Benefits

  • Works with any SAML 2.0-compliant IdP; no vendor lock-in
  • Per-domain routing lets multiple IdPs coexist in one Argus tenant
  • SP-initiated and IdP-initiated flows both supported
  • Test Login catches configuration mistakes before end users see them

Related reading

OWASP NHI Top 10 Explained

Get started now

Set up the SAML 2.0 integration in minutes and start improving your security today.

SAML 2.0 Integration