Let your team sign in to ChartPull using your company’s existing identity provider. One password, central control, and automatic provisioning.
SSO / SAML requires the Integrations add-on. It is available during your 14-day trial.
Single Sign-On (SSO) means your team members sign in to ChartPull using the same credentials they use for other work applications. Instead of creating a separate ChartPull password, they authenticate through your company’s identity provider (IdP) — such as Okta, Azure Active Directory, or Google Workspace.
ChartPull implements SAML 2.0 using the @node-saml/node-saml library. Three main benefits of SSO:
Setting up SAML requires exchanging configuration between ChartPull (the Service Provider) and your identity provider. Here are the five values involved:
| Value | Who provides it | Description |
|---|---|---|
| IdP Entity ID | Your IdP | A unique identifier for your identity provider (usually a URL) |
| SSO URL | Your IdP | The endpoint where ChartPull redirects users to sign in |
| X.509 Certificate | Your IdP | The public certificate ChartPull uses to verify SAML assertion signatures |
| SP Entity ID | ChartPull | ChartPull’s unique identifier — shown on the SSO settings page |
| ACS URL | ChartPull | The callback URL where your IdP sends the SAML assertion after login |
ChartPull supports any identity provider that speaks SAML 2.0. This includes:
Okta
Most popular enterprise IdP. Full setup guide below.
Azure Active Directory
Microsoft's cloud identity service. Also called Entra ID.
Google Workspace
Use Google as both your directory source and your SSO provider.
OneLogin
Cloud-based identity and access management.
JumpCloud
Directory and SSO platform for hybrid environments.
Any SAML 2.0 IdP
If your provider supports SAML 2.0, it will work with ChartPull.
When a user tries to sign in to ChartPull with SSO enabled, here is what happens behind the scenes:
User visits ChartPull
The user goes to chartpull.com and clicks "Sign in." Because SSO is enabled for their domain, ChartPull redirects them to your identity provider instead of showing a password form.
IdP authenticates the user
Your identity provider (e.g. Okta) shows its login page. The user enters their company credentials or, if they are already signed in to the IdP, they are passed through automatically.
IdP sends a SAML assertion
After successful authentication, the IdP sends a digitally signed SAML assertion back to ChartPull. This assertion contains the user's email, name, and any group memberships you have configured.
ChartPull creates a session
ChartPull verifies the SAML assertion signature, extracts the user information, and creates a session. If this is a new user, ChartPull auto-creates their account as a viewer. The user is now signed in.
SP-initiated vs IdP-initiated
ChartPull supports both SP-initiated SSO (user starts at chartpull.com) and IdP-initiated SSO (user clicks the ChartPull app in their Okta/Azure dashboard). Both flows work the same way.Navigate to SSO settings
Go to Admin > SSO / SAML in the sidebar. Only the super_admin can access this page.
Enter your IdP details
Paste in the IdP Entity ID, SSO URL, and X.509 certificate from your identity provider. These values are typically found in your IdP’s SAML app configuration.
Download SP metadata
Click "Download SP Metadata" to get ChartPull’s Service Provider metadata XML file. This contains the SP Entity ID and ACS URL.
Upload metadata to your IdP
Upload the SP metadata file to your identity provider, or manually enter the SP Entity ID and ACS URL. Assign users or groups who should have access.
Test the connection
Click "Test SSO" in ChartPull. This opens a new window and attempts a full SAML login flow. If the test succeeds, you will see a green confirmation.
Set the enforcement mode
Choose how strictly SSO is enforced: Optional (both Google and SSO), Required (SSO only), or Admin Bypass (SSO required but super_admin can still use Google).
https://chartpull.com/api/auth/samlhttps://chartpull.comemail to user.email, firstName to user.firstName, lastName to user.lastName.After configuring SAML, ChartPull provides a “Test Connection” button. This opens a new window that goes through the full SAML flow and reports back whether it succeeded or failed. If it fails, ChartPull shows the specific error (certificate mismatch, wrong ACS URL, missing attributes, etc.) so you can fix the configuration.
Test before enforcing
We strongly recommend testing with your own account before enforcing SSO for all users. Once SSO is enforced, users can only sign in via your IdP — the Google sign-in option is disabled. If the SSO configuration is wrong, users (including you) could be locked out.Enforcement determines whether SSO is a convenience or a requirement. Choose the mode that matches your organisation’s security policy.
| Mode | Google login | SSO login | Best for |
|---|---|---|---|
| Optional | Allowed | Allowed | Testing SSO before rollout, or teams that prefer choice |
| Required | Blocked | Required | Organisations that mandate all access through the IdP |
| Admin Bypass | Super admin only | Required for all others | Most organisations — SSO enforced with a safety hatch |
We recommend Admin Bypass
Admin Bypass is the safest choice for most teams. It enforces SSO for all regular users while ensuring the super_admin can always sign in via Google if the IdP goes down or the SAML certificate expires.