Overview
Single Sign-On (SSO) allows your users to log in to Sysarb using your organisation's existing Identity Provider (IdP), such as Microsoft Entra or Okta, rather than a separate Sysarb username and password. Once SSO is enabled, it becomes the only way to log in to Sysarb — password-based login is disabled.
SSO is required if you are setting up SCIM for automated user provisioning. It is also recommended for any organisation that wants centralised access control and a consistent login experience across tools.
Before you begin
You have an Identity Provider (e.g. Microsoft Entra, Okta, or another SAML 2.0-compatible IdP)
Your IT-support or IAM responsible is available to assist — part of the configuration is done on the IdP side and requires IT involvement
You have administrator access in Sysarb
⚠️ Important: Enabling SSO with incomplete or incorrect settings will block all users from logging in — including you. Make these settings in collaboration with your IT department, and verify that the configuration is correct before enabling. If SSO is activated before setup is complete, contact [email protected] immediately — support can help disable it.
How SSO works in Sysarb
Sysarb uses SAML 2.0 for SSO. The setup requires an exchange of metadata between Sysarb (the Service Provider, SP) and your IdP:
You provide your IdP's metadata to Sysarb — either by uploading an XML file or entering the details manually
You provide Sysarb's SP metadata to your IdP — either by downloading an XML file or copying the values manually
Once both sides are configured and verified, SSO can be enabled
Setup steps
The SSO setup is done in Sysarb under Settings → System → Single sign-on.
Step 1 — Provide your IdP metadata to Sysarb
In the Your IdP data section, choose one of two options:
Option 1 — Upload your IdP metadata file Click Choose file and upload the XML metadata file exported from your IdP. This automatically fills in the required fields.
Option 2 — Enter your IdP metadata manually If your IdP does not provide an XML export, fill in the following fields directly:
Entry point — the SSO login URL from your IdP
Certificate — the IdP's public certificate used to verify authentication responses
Your IT/IAM resource will need to provide these values from your IdP configuration.
Note: The fields are read-only by default. Click Edit (bottom right of the Your IdP data section) to enter edit mode before making any changes.
Step 2 — Provide Sysarb's SP metadata to your IdP
In the Our SP data section, choose one of two options:
Option 1 — Download SP metadata file Click Download SP metadata and send the XML file to your IT/IAM resource. They upload it to your IdP to complete the connection.
Option 2 — Enter SP metadata manually in your IdP If your IdP does not support XML upload, your IT/IAM resource can enter the values directly. The following fields are available in the Our SP data section in Sysarb, and are unique to your organisation:
Assertion Consumer Service (ACS) URL
Entity ID
Direct login link
Copy these values from your own Sysarb instance and share them with your IT/IAM resource.
Step 3 — Verify the configuration with your IT/IAM resource
Before enabling SSO, confirm with your IT/IAM resource that:
The SP metadata has been uploaded or entered in the IdP
A test login via SSO has been verified to work correctly
Step 4 — Enable SSO
Once both sides are configured and tested, toggle Enable single sign-on at the top of the page. From this point on, all users must log in via SSO. Password-based login is no longer available.
Responsibilities overview
SSO configuration in Sysarb (steps 1–2) | Customer | Sysarb support or customer success |
IdP configuration and SP metadata upload | Customer IT / IAM | IdP provider |
Testing SSO login before enabling | Customer + IT / IAM | Sysarb support or customer success |
Enabling SSO in Sysarb | Customer | Sysarb support or customer success |
Disabling SSO if activated in error | Customer | Sysarb support or customer success |
Troubleshooting
Login fails after enabling | SP metadata not uploaded to IdP, or metadata mismatch | Verify SP metadata is correctly uploaded in your IdP and matches the values in Sysarb |
All users locked out | SSO enabled before configuration was verified | Contact Sysarb support or customer success immediately |
IdP metadata fields not populating from XML | XML file format not recognised | Try entering the fields manually (Entry point and Certificate) |
Support
Reach Sysarb at [email protected] or directly in the interface. If you are in an active implementation, your customer success contact is also available to help.
For questions about configuring your IdP, contact your IT-support or IdP provider.