Single Sign-On (SSO) lets users access the Credit Benchmark Web App and Excel Add-in with their existing corporate credentials. Credit Benchmark supports SSO using SAML 2.0. In this setup, your identity provider authenticates the user and Credit Benchmark acts as the service provider that accepts the SAML response. SSO covers authentication only. Product access and data entitlements still depend on the users and permissions configured for your Credit Benchmark subscription.Documentation Index
Fetch the complete documentation index at: https://docs.creditbenchmark.com/llms.txt
Use this file to discover all available pages before exploring further.
How SSO Works
When a user signs in with SSO:- Credit Benchmark redirects the user to your corporate identity provider.
- Your identity provider authenticates the user using your internal controls, such as MFA and password policy.
- Your identity provider sends a signed SAML assertion to Credit Benchmark.
- Credit Benchmark validates the assertion and grants access if the user is authorised.
Implementation Steps
Kick off configuration
Contact your Credit Benchmark relationship lead or support@creditbenchmark.com to start the SSO setup. Credit Benchmark will coordinate the configuration details with your identity or security team.
Exchange SAML metadata
Your team provides the identity provider values listed below. Credit Benchmark provides the corresponding service provider values for your configuration.
Test in sandbox
Credit Benchmark provides a sandbox environment for testing before production rollout. Use this to confirm sign-in flow, user matching, and access behaviour.
Configuration Values You Provide
Your identity team provides the identity provider values below.| Value | What it is | Example format |
|---|---|---|
| IdP issuer URI / entity ID | The unique identifier for your SAML application or identity provider tenant. Credit Benchmark uses this to identify who issued the SAML response. | A tenant-specific Microsoft Entra ID or Okta issuer URL |
| Single Sign-On URL | The login endpoint where Credit Benchmark redirects users for authentication. | A tenant-specific Microsoft Entra ID or Okta SAML login URL |
| Signature certificate | The public certificate Credit Benchmark uses to verify that SAML responses were signed by your identity provider. | PEM or DER encoded X.509 certificate |
| Username attribute mapping | The SAML attribute that contains the user’s email address or username. This must match the user record configured in Credit Benchmark. | NameID, email, user.mail, or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Email address is the preferred user identifier. If your SAML assertion sends another identifier, confirm the mapping with Credit Benchmark before testing.
Configuration Values Credit Benchmark Provides
Credit Benchmark provides the service provider values below.| Value | What it is | Example format |
|---|---|---|
| Assertion Consumer Service (ACS) URL | The Credit Benchmark endpoint where your identity provider sends the SAML response after authentication. | Provided during implementation |
| Audience URI / SP entity ID | The service provider identifier your identity provider includes in the SAML response. Credit Benchmark validates this value to confirm the response was intended for the correct application. | Provided during implementation |
| Sandbox ACS URL | The ACS URL used for pre-production testing, if sandbox SSO is enabled separately from production. | Provided during implementation |
| Production ACS URL | The ACS URL used for live user authentication. | Provided during implementation |
SAML Requirements
Use these settings unless Credit Benchmark provides different implementation-specific instructions:| Setting | Requirement |
|---|---|
| Protocol | SAML 2.0 |
| Response signing | Required |
| Assertion signing | Required if supported by your identity provider |
| NameID / username | Must identify the Credit Benchmark user, preferably by email address |
| Certificate rotation | Notify Credit Benchmark before rotating the SAML signing certificate so the new certificate can be added before the old one expires |