Skip to main content

Constellix SAML

Updated
Constellix SAML – Frequently Asked Questions

Constellix SAML – Frequently Asked Questions

A concise, customer‑facing guide to setting up and managing SAML Single Sign‑On (SSO) with Constellix.

At a glance
  • Both SP‑initiated and IdP‑initiated flows are supported.
  • Once SAML is enabled, your email address is your username; local login is disabled.
  • New SAML users start with no permissions until assigned in Constellix.
  • Keep a non‑SAML “break glass” admin for emergency access.
What is SAML and how does it work in Constellix?

Constellix supports Service Provider (SP) and Identity Provider (IdP) initiated SSO. After SAML is enabled, users enter their email address, are redirected to the IdP, and authenticate there.

Heads up: When SAML is enabled for an account, local login is disabled. Maintain a non‑SAML “break glass” user for continuity if your IdP is unavailable.

Will my existing permissions change when enabling SAML?

No. Existing permissions are retained for current users.

What permissions do new SAML users have?

Newly provisioned SAML users have no permissions by default. Assign permissions manually within the Constellix control panel.

At this time, permissions and groups cannot be assigned from your IdP; they must be configured in Constellix.

What username do SAML users have?

For SAML‑enabled accounts, the email address is the username.

What is a “break glass” account and how should we set it up?

A “break glass” account is a non‑SAML administrative user kept for emergencies (e.g., IdP outage). Use a regular username (no domain) and secure it with strong MFA and vaulting.

How do I create a new SAML user in Constellix?
  1. Add the user as a standard user in Constellix (if they don’t already exist).
  2. Open Manage Users and provision SAML for that user.

Constellix also supports Just‑In‑Time (JIT) provisioning from your IdP.

This workflow differs from DNS Made Easy. In Constellix, you create a standard user first, then enable SAML for that user.

Do new users receive permissions automatically?

No. New users—whether created via UI or JIT—start with no permissions and require manual assignment in Constellix.

How do we start the SAML setup?
  1. Complete the provided Google Form with your IdP metadata and details.
  2. Our DevOps team installs the configuration.
  3. For new installations, a SAML service restart is required. To ensure stability, restarts are scheduled on Tuesdays and Thursdays.
Can I disable a SAML user myself?

At this time, disabling a SAML user is not available in the UI. If you share the username, we can coordinate with our SAML administrator to disable SAML for that user on your account.

A self‑service UI option is planned for a future release.

What if I need to recreate or reprovision a SAML user?

You can reprovision the user in your IdP and SSO should work. If you delete and recreate the user in Constellix, they’ll need to re‑confirm their email and may need to reset their password.

What does SAML activation cost?
  • Platinum: No fee.
  • Gold & Standard: $250 one‑time setup + $100/month after activation.

The fee applies per account, not per SAML user.

Do you support SCIM?

At this time, SCIM is not offered. Constellix supports SAML‑based SSO.

Do you support SP‑initiated or IdP‑initiated sign‑in?

Both are supported, and the necessary SAML bindings for redirection are built in.

Do you support JIT provisioning?

Yes. New users can be created in the UI or provisioned via your IdP using Just‑In‑Time provisioning.

Does SAML SSO support RBAC or group‑based permissions from my IdP?

At this time, role‑ or group‑based provisioning from the IdP is not offered. Newly provisioned users start with no permissions and must be granted access within Constellix.

Need help or a review of your IdP metadata? Contact Support and we’ll be happy to assist.

Was this article helpful?

0 out of 0 found this helpful
Return to top

Related articles