SAML single sign-on (SSO) gives users access to Crowdin Enterprise through an identity provider (IDP) of your choice.
SAML single sign-on is available only for the Business subscription plan
on Crowdin Enterprise.
The benefits of SAML authentication include:
Standardization: SAML is a standard format that allows seamless interoperability between systems, independent of implementation.
Improved user experience: Users can access Crowdin Enterprise using your organization’s identity provider without additional authentication, allowing them to use only one set of login details.
Increased security: SAML is a security standard for logging into applications, which provides a single point of authentication, keeping user credentials within the firewall boundary.
Configure your identity provider
To get started, you’ll need to set up a connection (or connector) for Crowdin Enterprise with your IDP (for example, Auth0, Google Workspace (SAML), Okta, and others).
Set up SAML SSO for Crowdin Enterprise
Once you configured your identity provider, an Organization admin can enable the SAML SSO feature in Crowdin Enterprise Organization Settings.
- You can find Organization Settings under the user icon in the top menu bar.
- Switch to the Authentication page on the left menu bar and click on the SAML authentication method at the bottom of the page.
- Paste your credentials from your IDP and click Save.
- Take the credentials from the SAML Single Sign-On page and paste them into the IDP settings.
- Set the preferred configurations in the Settings and Advanced options sections depending on the configurations on the IDP side and click Save.
- Go back to the Authentication page and enable the SAML authentication method.
- As a result, on the login page, users will be able to use SAML for logging into your Crowdin Enterprise organization.
The SAML Settings section provides you with different options that let you fine-tune your SAML behavior.
- Provider name – the name of the SAML authentication method that will be displayed on your Crowdin Enterprise login page.
- Update member accounts at each login – select whether you’d like the configured account attributes to be synced from IDP at each login of the organization member. These attributes are synced from IDP during the account creation.
To use this option, make sure to configure SAML Attributes
- Enforce SAML – select whether organization members with emails on the domains configured in the Email domains can use only SAML SSO to log in.
- Restrict members to change their account email – select whether you’d like to restrict members to change their Crowdin Enterprise emails.
- Email domains – email domains related to organization members that use SAML SSO to log in.
- Enable SLO – select whether organization members should be logged out of IDP when logging out of your Crowdin Enterprise organization.
SAML Advanced Options
- AuthnContextClassRef – authentication method used in SAML request. By default, it’s authentication via username and password over a protected session.
- Service Provider Issuer – globally unique name for a Crowdin Enterprise Service Provider. By default, it’s your organization’s SAML metadata URL.
- Sign AuthRequest – select whether to sign the authorization request to your IDP.
The following options allow you to choose how the SAML response from your IDP is signed. Use at least one option.
- Responses signed - Indicates a requirement for the SAML Responses received by Crowdin Enterprise to be signed.
- Assertions signed - Indicates a requirement for the SAML Assertions received by Crowdin Enterprise to be signed.
Mapping SAML Attributes
You can map attributes in the IDP response to user attributes used in Crowdin Enterprise. See the available attributes in the following table.
Description: The first name of the user stored on the IDP.
Description: The last name of the user stored on the IDP.
Description: The timezone of the user.
Description: The absolute URL to user's profile picture.
What you get when SAML SSO is enabled
Any users already logged in after you’ve set up and enabled the SAML SSO will remain logged in. Further on, users that chose SAML as their login method will log into your Crowdin Enterprise organization with their IDP account. If there is no account for some user in your organization, an account will be created automatically during the login process into your Crowdin Enterprise organization.