Adding Single Sign-On (SSO) to Your Criteria Account

Updated by Sean Welch

Criteria provides your users with the ability to sign in via Single Sign-On (SSO). We are able to integrate with any SAML 2.0-compliant IdP.

With SSO enabled, your users will be able to sign into your organization’s Criteria account through the identity provider (IdP) of your choice.

Please note that Single Sign-On is only available for customers using the Criteria Enterprise Platform. To confirm you are on the right platform or to discuss upgrading, please contact your Customer Success Manager.

Enabling the SSO Integration

This process will require admin access to your chosen IdP. If you do not have IdP admin access these instructions can be sent to your technical team who does (e.g. IT, Cyber Security, Network admin, etc.).

Setting up your SSO with Criteria involves just four steps:

  1. Configure your IdP.
  2. Send the Metadata file to Criteria.
  3. Criteria soft-enables the integration. 
  4. SSO integration is hard-enabled. 

1. Configure your IdP

You or your IdP Admin will configure your IdP as per the instructions listed below. We offer set up guides for the following IdPs:

2. Send the Metadata file to Criteria

Once you or your IdP admin has configured your IdP, you will need to email your Metadata file to our Support Team.

3. Criteria soft-enables the integration 

Initially, we will soft-enable SSO for your Criteria account. We will provide you with a custom login URL, which will include a "login with <SSO Provider>" button. This will enable you to get your SSO provider to authenticate.

When soft-enabled your users will be able to test that the SSO is working, but still maintain access using their Criteria account login credential (email and password).

If you have any queries regarding this step in the process, or would like some assistance with troubleshooting any problems, please reach out to our Support team for assistance. 

4. SSO integration is hard-enabled

Once you're satisfied that the SSO is functioning correctly, please advise our team. We will then hard-enable the SSO. At this point, your users will only be able to log in via SSO with admin users maintaining both Criteria account login and SSO access.

Provisioning New Users: If you assign a user access to Criteria in your IdP but they don’t exist in your Criteria account, when they log in via your company’s unique URL, a new Criteria user account will be created for them. This new account will come with the User Access Role by default. As an admin, you can edit this user later to change their access to other parts of Criteria.
Deactivating Users: Our SSO implementation does not currently support SCIM. This means that when a user is deactivated in your IdP, while they will no longer be able to access Criteria if your account has SSO hard-enabled, their Criteria account is not automatically deactivated. We recommend deactivating the user in Criteria as well.

How did we do?