Your organization can sign on with a single click (and avoid security headaches) thanks to available Single Sign-On for all SAML 2.0 standard IdPs.
Single Sign-On lets users access Arcules using your organization's user database or Identity Provider rather than Arcules managing separate passwords for the users.
Please note, this is enables SSO as an additional Identity Provider, it does not remove standard email/password authentication.
Tested Identity Providers
Access to your domain's DNS Management Tool.
IT Manager level access to your organization's Arcules account.
Use the following values for relevant SAML 2.0 settings to setup in the Identity Provider (IdP) of choice:
Single Sign On URL:
(same for Recipient/Destination URL)
Audience Restriction: arcules.com
Note: This field may have a different name depending on the IDP. In Azure AD for example, it is called
Identifier (Entity ID). If you are setting SSO up in the EU, the value is
eu.arcules.com instead of
Name ID Format: EmailAddress
Available Attribute Mapping:
- image (url to the image file)
Ensure your organization SAML 2.0 IdP is setup with a valid IdP Metadata XML. You can use either a URL to the IdP Metadata XML that you host or upload the Metadata File.
Step 1: Add and validate a domain
In order to prove that you are the owner/administrator of a domain, Arcules will have to validate the domain. To do so, you need to add a unique key provided by Arcules to your DNS configuration.
Go to the Settings Tab
Click the Verify Domain Tab
Click + New Domain and enter the domain address
Click VERIFY, then copy the TXT key
Open your DNS Management Tool (e.g. Google Domains, GoDaddy, ...)
Paste the key into the TXT field
Wait until your DNS configuration changes (Note: this could take up to 72 hours)
Step 2: Configure & enable SSO
Now that you have verified a domain, you can enable the SSO feature.
Go to the Settings Tab.
Click the SAML Single Sign-On Tab.
Locate the domain address you want to enable SSO for and toggle it on.
Select your Setting Method. You can upload your IdP metadata XML file or add the URL to the file that you host publicly.
To disable SSO, simply toggle off SSO per domain.
Repeat steps 1 and 2 if you want to enable SSO for additional domains within your organization.
User Login page
To login with SSO, enter the email address associated with the SAML account and click on Next.
Notes on Setting up in ADFS
Please note we highly recommend using Azure AD to work with SAML 2.0 integration, and we do not actively support implementing SAML 2.0 directly via ADFS.
However, below information might help in getting set up inside ADFS:
SAML Endpoint - https://manage.arcules.com/federation/login/saml/assert
Relying Party Identifier - arcules.com
For everything else, please use default values.
For claim issuance policy, you might need two rules:
Rule 1 – from Active Directory, pass Email-addresses as Name ID
Rule 2 - a custom rule with this info:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer =c.Issuer, OriginalIssuer =c.OriginalIssuer, Value = c.Value,ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
Note for Microsoft Azure/Authenticator when using Mobile
If you are using Microsoft Azure/Authenticator as your SSO provider, you need to have the Microsoft Authenticator app installed on your iOS or Android device, if you want to access Arcules via mobile.