SAML provisioning
With Just-in-Time provisioning, you can use a SAML assertion to create users on the fly the first time they try to log in to Cloudinary, eliminating the need to create Cloudinary user accounts in advance. Just-in-Time provisioning works with your SAML-compliant identity provider to pass the correct user information to Cloudinary in a SAML 2.0 assertion. You can both create and modify accounts this way. The Just-in-Time provisioning uses SAML to communicate, so your organization must have SAML-based single sign-on enabled.
Considerations for SAML provisioning with Cloudinary
- A new SAML user is not sent an email inviting them to set a password.
- All users' names and sources are available via the Management Console's Users management page. The Management Console UI can also be used for reviewing and updating auto-provisioned user accounts, except for password related fields and options.
- If a user had an account in Cloudinary before the SAML integration and uses the same email in your IdP, the user will now log in through the IdP but will continue to use the same account in Cloudinary.
- Cloudinary uses the username field as a unique immutable ID for creating a new user in your Cloudinary account. If any supplied attributes change (including possibly the user email, groups and sub-accounts' associations), the user account details will be updated accordingly. This means you should use a unique value for the 'username' field (e.g., if you use the user's email as a username you won't be able to update their email address using a SAML assertion in the future).
- A Cloudinary account can simultaneously allow both access through SSO using SAML or by using the credentials from Cloudinary (email and password as provisioned via Management Console or the Provisioning API). To require all users to log in through SAML, set the Enforce SAML login setting in account settings.
When a user no longer needs access to Cloudinary you should remove them from the application access list in the IdP. This will ensure that they cannot log in anymore, but this user will continue to have an account in Cloudinary, which may take up one user license. If this user is not expected to use Cloudinary in the future, you must also delete the user from Cloudinary via the Management Console in order to free the user license.
Similarly, groups and sub-accounts are not deleted, but the user can be de-associated with groups and sub-accounts on an IdP update. Groups and sub-accounts permissions and settings are managed in the Management Console.
Enabling SAML login entails the following two procedures:
Add Cloudinary as an application to your IdP
To add a Cloudinary-SAML application to your identity provider (IdP):
- Create a new SAML 2.0 Web application (e.g., in the Okta Admin console, select Applications from the Applications menu, click Add Application and then Create New App, select Web as the Platform and SAML 2.0 as the Sign on method).
- Give your app a name (e.g., Cloudinary), and then optionally select a logo and visibility options (you can download a Cloudinary logo from our brand assets page).
- Configure SAML settings as follows:
Federate Okta user profile field values to Cloudinary SAML attributes. These are fields and values that Cloudinary expects to receive for each user. Add an attribute statement for the following SAML Assertion Fields, including their corresponding values:
Optionally add Feedback and click Finish when done.
Configure SAML provisioning in Cloudinary
In order to configure your Cloudinary account to use the SAML application you have set up, you will need to supply your application's Identity Provider Metadata, either as a URL to the file (of the form: https://<orgname>.okta.com/app/<random_string>/sso/saml/metadata
), or by copy/pasting the data itself (in Okta you can find the URL and metadata by clicking the Identity Provider Metadata link on the Sign On tab of your application's settings).
In the Cloudinary Management Console for your account, access the Users tab and configure the SAML login fields as follows:
- To set a URL: Select URL as the Metadata retrieval method and add the URL to the SAML metadata URL box.
- To use metadata: Select Inline as the Metadata retrieval method and then copy/paste the metadata XML into the SAML metadata field.
Decide whether to Enforce SAML login by selecting Enabled. Make sure to first test your new SAML application before changing this setting.
Make sure Two-factor authentication (2FA) is Disabled (configure your two-factor authentication through your IdP if required).
Click the Save button at the bottom of the page.
Appendix - Error handling
On a failed log-in to Cloudinary, SAML errors are returned to the user's browser in the response body of a 400 error. The response includes an Error Code and Description where possible.
Error | Description |
---|---|
1 | USER_CREATION_ERROR |
2 | MISSING_ACCOUNT_ID |
3 | INVALID_ACCOUNT_ID |
4 | MISSING_FIRST_NAME |
5 | MISSING_EMAIL |
6 | INVALID_EMAIL_ADDRESS |
7 | ROLE_LOOKUP_ERROR |
8 | INVALID_SUBACCOUNT_IDENTIFIER |
9 | LICENSE_LIMIT_EXCEEDED |
10 | USER_UPDATE_ERROR |
11 | PROVISIONING_NOT_ALLOWED |
12 | USER_ACCOUNT_MISMATCH |
13 | USER_GROUP_CREATION_ERROR |
14 | INVALID_NAME_ID |
15 | SAML_VALIDATION_FAILED |
16 | INVALID_SAML_RESPONSE |