Carerealm supports SAML 2.0 single sign-on for organisations that want to authenticate users via an existing identity provider. Once configured, staff sign in using their existing work account and Carerealm trusts the provider's assertion.
When SAML SSO is the right choice
Your organisation already runs Okta, Azure AD, Google Workspace, OneLogin, JumpCloud or similar.
You need to enforce MFA / conditional access from a central place.
You want to deprovision staff in one place — disabling them in your IdP removes their Carerealm access immediately.
Setting up SAML
SAML configuration lives at Admin → Settings → Authentication. You'll need someone with admin rights in your identity provider (Okta admin, Azure AD admin, etc.) to register Carerealm as a Service Provider.
In Carerealm, open the SAML section. Copy the SP metadata URL and the Assertion Consumer Service (ACS) URL.
In your IdP, create a new SAML application and paste those URLs. Set the NameID attribute to email.
Your IdP issues a metadata XML file or a public certificate + entity ID. Paste these back into the Carerealm SAML form.
Save. The realm runs a verification ping before activating — if anything's wrong, the change is rejected.
Test by signing in via the SAML button on your login page.
The tripwire — why you can't lock yourself out
If a saved SAML configuration ever stops working (e.g. your IdP certificate is rotated and you forget to update it), Carerealm detects the broken state and automatically reverts to the previous-known-good config. Realm admins can still sign in via their existing password and fix the problem. There's no "locked out forever" scenario.
Heads up — Activating SAML doesn't automatically remove password sign-in. If you want SAML-only access, enable the "Require SSO" toggle separately. Make sure at least one admin can sign in via SAML successfully before doing that.