Skip to main content

Single Sign On

caution

Single Sign On configurations are only available for Hosted CTFd and CTFd Enterprise instances

Fallback URL

When any Single Sign On configuration is enabled, users with local CTFd accounts may still login by browsing directly to https://ctfd-url/admin or https://ctfd-url/login?fallback=1.

Security Assertion Markup Language (SAML)

SAML is a standard supported by many different organizations for exchanging authentication and authorization data between parties, typically between a company and a vendor. SAML can be configured on Hosted CTFd instances on the Professional tier or CTFd Enterprise. While the protocol is known as SAML many companies refer to it through a service (e.g. Okta, OneLogin, Auth0, Azure Active Directory, etc).

Setting up SAML

Setting up SAML requires setting up some details on the service provider (the vendor or SP) side (most likely CTFd) as well as the identity provider (the company or IdP) side.

  1. Login to the Admin Panel of your CTFd instance. Click on Plugins > Single sign-on in the top right.

  2. Click the SAML tab to get the SAML settings. To set up the IdP side, you will need either the SP Metadata URL or the SP Metadata XML. Either can be used in your SAML provider to setup authentication.

    tip

    CTFd's SAML integration must be provided an email address to authenticate a user. CTFd's SP Metadata requests the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress identifier so this generally does not need to be manually configured.

    The username section of the email address will become the user's handle in CTFd. Their email address if it isn't already used will be used to create the user.

  3. You will receive an IdP Metadata XML or IdP Metadata URL from your SAML software which you will need to put into the SAML plugin in CTFd.

  4. Click on the Settings tab, select SAML as the Single Sign-On Provider and then click Update.

    tip

    When enabling SAML you should generally set Registration Visibility to be Private so that public users can't register an account