Skip to main content

Celonis Product Documentation

Security recommendations

Your team security and user provisioning settings may vary depending on your team size. Before setting up your team, we therefore recommend that you choose a coupling approach and relevant settings.

No coupling of single sign on (SSO) and user management

This is ideal for smaller teams who have no need for user governance, instead taking advantage of Celonis ID and two-factor authentication. This approach means that admins don't need to focus on account lifecycle management.

In this case, there is no need for single sign on (SSO) and there is no coupling of user management. You may still want to consider your team privacy, IP based restrictions, email signatures, and the use of application keys here, however.

When following this approach, your users:

  • Log in to your using their own username and password.

  • Choose how to receive their two-factor authentication token.

  • Can request an automated password reset when needed.

Light coupling of SSO and user management

When your team size is too large for manual invitations and maintenance, we recommend that you use either SAML SSO or OIDC SSO. In this case, you have the one-time effort of setting up SSO. With that, when users respond to an invite and log in for the first time, identity information - i.e. first name, last name, email - is added in the Celonis Platform .

This is light coupling as there is no dynamic sync between the identity provider and the Celonis Platform .

Tight coupling of SSO and user management

With tight coupling, dynamic user sync is added with the identity provider. Any changes to individual accounts and optionally also their groups are reflected in the Celonis Platform upon sign-in. This coupling applies to larger organizations with a greater need for user governance.

In this case, as it is large scale, identity providers should provide groups to which the administrator assigns permissions in the Celonis Platform . If no groups are available, the administrator must add users manually to Celonis Platform groups.

Tight coupling can be done via SCIM API or SAML Just-in-Time (JIT), with SCIM our recommendation.

Tight coupling differs from light coupling because:

  • It provides dynamic user syncing. This means that users created in your identity provider will be automatically created in your Celonis Platform . There is no need to manually send invitations.

  • It provisions and updates groups.

  • It allows users to directly login without an admin invitation.

Security recommendation diagram

This diagram shows where each recommendation is best applied, with no coupling better used for small specialist teams who manage their security settings independently and tight coupling best used by global teams who have integrated IT management systems.

SSO_coupling_diagram.png