Single Sign On configurations are only available for Hosted CTFd and CTFd Enterprise instances
When any Single Sign On configuration is enabled, users with local CTFd accounts may still login by browsing directly to
Security Assertion Markup Language (SAML)
SAML is a standard supported by many different organizations for exchanging authentication and authorization data between parties, typically between a company and a vendor. SAML can be configured on Hosted CTFd instances on the Professional tier or CTFd Enterprise. While the protocol is known as SAML many companies refer to it through a service (e.g. Okta, OneLogin, Auth0, Azure Active Directory, etc).
Setting up SAML
Setting up SAML requires setting up some details on the service provider (the vendor or SP) side (most likely CTFd) as well as the identity provider (the company or IdP) side.
Login to the Admin Panel of your CTFd instance. Click on Plugins > Single sign-on in the top right.
Click the SAML tab to get the SAML settings. To set up the IdP side, you will need either the SP Metadata URL or the SP Metadata XML. Either can be used in your SAML provider to setup authentication.
CTFd's SAML integration must be provided an email address to authenticate a user. CTFd's SP Metadata requests the
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressidentifier so this generally does not need to be manually configured.
The username section of the email address will become the user's handle in CTFd. Their email address if it isn't already used will be used to create the user.
You will receive an IdP Metadata XML or IdP Metadata URL from your SAML software which you will need to put into the SAML plugin in CTFd.
Click on the Settings tab, select SAML as the Single Sign-On Provider and then click Update.
When enabling SAML you should generally set Registration Visibility to be Private so that public users can't register an account