Single Sign-On

ChaosSearch provides users with a straightforward integration to common SSO services.

ChaosSearch supports connectors and single sign on (SSO) integrations with an identity provider (IdP) such as Auth0, Okta, Google, and others to authenticate and authorize user access to the ChaosSearch interface and features.

Overview of ChaosSearch SSO Authentication

In the SSO authentication model, users authenticate with their company's identity provider (IdP) service in a process similar to the following:

  1. User accesses the ChaosSearch login page and clicks Single Sign On.

  2. ChaosSearch redirects to an Auth0 broker where each customer is provisioned.

  3. Auth0 sends a request to the customer's IdP connector to authenticate the user.

  4. The IdP responds with an authentication SAML response/JWT token in the browser.

  5. Auth0 sends the proof of key/code exchange token in the browser to ChaosSearch, which gathers the information to complete the user authentication and authorization to the desired tenant.


ChaosSearch uses a just-in-time (JIT) auto-provisioning model for subaccount users that connect via SSO provisioning. The first time that an SSO user authenticates with ChaosSearch, the system automatically creates a subaccount, sometimes called a JIT user, for the SSO subaccount. The subaccount is automatically configured with access to a group named default.



If there is already a matching, static subacccount in ChaosSearch for the SSO user, the system uses that existing subaccount and its current group provisioning for authorizations.


About the default Group

The default group starts with administrative-level permissions, which are not typically the permissions that customers would assign to auto-provisioned JIT users. As a best practice, customer administrators should change the settings of the default group to reflect the permissions that a new JIT user should be granted. If the default group is not modified, the administration privileges are granted to the JIT users.

Customer administrators can change the auto-provisioned/JIT subaccounts to assign different groups and to manage the accounts as needed. Note that group assignment changes might require an authenticated JIT user to log out of ChaosSearch and re-authenticate to obtain the updated group assignments.

Benefits of Single Sign-On

Using an SSO solution offers the following benefits:

Reduced password fatigue: Remembering one less password. Users of your organization who are granted access to ChaosSearch do not need to create and remember another password for ChaosSearch to log in and use our features.

Easily manage user access: Administrators can grant/prohibit access to ChaosSearch for their users via the console of the organization's identity provider without having to log in to ChaosSearch. Administrators have less application overhead for managing users and easier overall access control management for changes.

Improved security: Your identity provider manages and sends authentication assertions when users are authenticating to ChaosSearch, instead of passwords that are created by users.

To configure SSO support for ChaosSearch:

Contact [email protected] to plan and implement the SSO integration for your site.