Skip to main content

Configure single sign-on (SSO) at an organization level

For on-premises customers, single sign-on can be configured at a system level. For hosted customers, Contrast Security configures authentication; however, an Organization Administrator may be granted permissions to set up SSO for their organization.


If users are identified with a user ID rather than an email address, those accounts don’t automatically transfer over to the SSO configuration and must be recreated.

  1. Under organization settings, select Single-sign-on and click the link to Get started.

  2. You may receive a warning window regarding the implications of changing authentication. Please read it carefully before proceeding.

  3. Use the provided information to set up Contrast with your IdP.

  4. Provide a name for your IdP as well as the associated metadata to connect to Contrast.

  5. If you want to automatically create new user accounts when someone make a SAML request to log in to Contrast, check the box to Enable user provisioning.

    • Use the dropdowns to choose the Default organization role and Default application access group for the new users.

    • Add the Accepted domains that must be used to trigger user provisioning (for example,

  6. Click Test connection button to test the configuration. If an error occurs, Contrast provides a debug log for troubleshooting. (This test only validates the metadata and Contrast's ability to connect to the IdP.)

  7. Once the test is successful, select Save.

  8. Open a new browser window, private browsing session or incognito window, and attempt the SSO login with your account. If you're unsuccessful, go back to the browser in which you're still logged in, disable SSO for the organization and then select Revert to Contrast-managed authentication and confirm the change.

See also

outline_open_in_new_black_24dp.pngConfiguring user and group provisioning with Okta

outline_open_in_new_black_24dp.pngConfiguring ADFS to automatically add users to groups