Paid features

• 1: Subscription management
• 2: Social auth configuration
• 3: SSO configuration
• 4: Shapes converter
• 5: Immediate job feedback
• 6: Segment Anything 2 Tracker

1 - Subscription management

This article provides tips on how to effectively manage your CVAT Online subscriptions, including tracking expenses and canceling unnecessary subscriptions, to optimize your finances and save time.

Whether you’re a business owner or an individual, you’ll learn how to take control of your subscriptions and manage them.

See:

• Available paid plans
  • Monthly plans
  • Annual plans
• Billing
  • How to add VAT/tax and other information to the CVAT Online invoice before the first payment?
  • How to update VAT/tax information and other details for upcoming invoices from CVAT Online?
  • Can a paid invoice be modified?
  • How can I get a quote before I subscribe? How to add a PO number to my invoices?
  • Can you sign an agreement before I subscribe?
  • Can you handle a bank transfer with 30-day payment terms?
  • Where can I find my invoices?
  • I am a student, can I have a discount or free access?
• Payment methods
  • Paying with bank transfer
  • How to change the payment method?
• Adding and removing team members
• Change plan
  • How to change the plan from Solo to Team?
  • How to switch from a monthly subscription to an annual one?
• Can I subscribe to several plans?
• Cancel plan
  • What will happen to my data?
  • How to cancel any plan?
  • How can I get a refund?
• Plan renewal
• Subscription management video tutorial

Available paid plans

This section outlines the paid plans available on CVAT Online.

Monthly plans

Annual plans

Whether you’re a new user, or have a subscription to Team or Solo plan, you can subscribe to our annual plan and save up to 30% on CVAT Online usage costs.

The annual subscription offers all the benefits of our paid plans but at a more affordable monthly rate.

For more information, see How to switch from monthly subscription to annual?

Billing

This section describes the billing model and gives short a description of limitations for each plan.

There are two types of subscriptions available for both the Solo and Team plans: monthly and annual.

For more information, see: Pricing Plans

How to add VAT/tax and other information to the CVAT Online invoice before the first payment?

To ensure VAT (tax) information and other relevant details are included on your CVAT Online invoices, it’s important to add this information before making the first payment.

Here’s how you can do it:

1. Sign up for a CVAT Online account and log in.
2. (Optional) If you add the VAT/tax number to the organization, first create an organization and switch to an Organization account.
3. Navigate to the top right corner, next to the nickname, click on the arrow > upgrade to the plan.
4. Switch on the I would like the invoice to include additional data (address, phone number, VAT information) toggle, select the best payment period for you, and click Get Started.

5. You will see the billing page:

• Phone number (1).
• Billing Address: Enter the billing address you want to appear on the invoice    in the address field (2).
• VAT Information and Business Name: Select the checkbox I am purchasing as a business and enter your VAT and business name information (3).

6. Select checkbox I agree to refund policy (4).

   Note: Please read the Refund policy before selecting the checkbox.

7. Click Pay & Subscribe.

All information you’ve added will appear on the billing page and in the invoice.

By following these steps, you can seamlessly add VAT and other crucial information to your invoices, making your financial transactions with CVAT Online transparent and compliant.

How to update VAT/tax information and other details for upcoming invoices from CVAT Online?

In the top right corner, near the nickname, click on the arrow > manage plan.

You will see the Stripe page. Go to the Billing Information > Update Information.

Can a paid invoice be modified?

Once an invoice has been paid, it is not possible to modify it. This restriction is due to the limitations of the payment processing platform used, which in the case of CVAT Online, is Stripe.

Stripe’s policy dictates that revisions to an invoice can only be made before payment. For more comprehensive information on this policy, please refer to Stripe’s official documentation on invoice edits at their website.

How can I get a quote before I subscribe? How to add a PO number to my invoices?

If you require a quote from CVAT Online for payment via bank transfer, certain criteria must be met:

• The total subscription cost must be $396 and up per year.
• Quotes are available exclusively for annual subscriptions.

Should you meet these requirements, please write to support@cvat.ai

Can you sign an agreement before I subscribe?

Sign of specific agreements and approvals are available if you meet specific criteria (the total subscription cost must be $10,000 and up per year), for more details contact support@cvat.ai

Can you handle a bank transfer with 30-day payment terms?

Yes, it is available if you fit the quota criteria, for details contact support@cvat.ai.

Where can I find my invoices?

In the top right corner, near the nickname, click on the arrow > manage plan.

You will see the Stripe page. At the bottom of the page, you will see the Invoice History section with all invoices.

Invoices are automatically sent to the account owner’s address used for the registration.

To see the invoice click on the Show Invoice Icon icon.

I am a student, can I have a discount or free access?

To consider your request for a discount, we’d need a few details from you:

• A copy of your valid student ID or any document confirming your university affiliation.
• Your university advisor’s contact details.
• The name and contact information of the dean of your faculty.
• A brief outline of your project plan. This helps us understand how we might collaborate  on a joint marketing statement highlighting your use of CVAT Online, and how it can benefit your project.
• We’d also appreciate a positive LinkedIn post about your experience using CVAT Online, making sure to tag @CVAT.ai.

All these details must be sent to support@cvat.ai. Once we have this information, we’ll gladly offer you a 50% discount for one year.

Payment methods

This section describes how to change or add payment methods.

Paying with bank transfer

Note At the moment this method of payment works only with US banks.

To pay with a bank transfer:

1. Go to the Upgrade to Solo/Team plan> Get started.
2. Click US Bank Transfer.
3. Upon successful completion of the payment, you will receive a receipt via email.

Note that the completion of the payment process may take up to three banking days.

How to change the payment method?

In the top right corner, near the nickname, click on the arrow > manage plan > +Add Payment Method

Adding and removing team members

Solo plan is for personal use only, you cannot add or remove team members.

Team plan is for collaboration. To add members to your Organization, go to the Manage Team plan > Update quantity.

If you’ve added a user before the current billing period ends, the payment will be prorated for the remaining time until the next billing cycle begins. From the following month onward, the full payment will be charged.

In case you removed the user before the current billing period ends, funds will not be returned to your account, but next month you will pay less by the amount of unused funds.

Change plan

How to change the plan from Solo to Team?

The procedure is the same for both Solo and Team plans.

If for some reason you want to change your plan, you need to:

1. Unsubscribe from the previous plan.
2. If you need a refund, contact us at support@cvat.ai.
3. Subscribe to a new plan.

How to switch from a monthly subscription to an annual one?

If you have monthly subscription, and wish to switch to the Annual plan, please follow these steps:

1. In the top-right corner, near the nickname, click on the arrow.
2. Select Manage Solo/Team Plan.
3. On the Stripe page that appears, click Update Plan.

4. Choose Yearly and then click Continue.

The price will be adjusted according to the number of members, selected in the Quantity field (if updated), taking into account the amount of money that was not spent in the current period.

Upon payment, your subscription will be renewed and the start date will be reset to the day you switch to the new plan.

Can I subscribe to several plans?

Paid plans are not mutually exclusive. You can have several active subscriptions, for example, the Solo plan and several Team plans for different organizations.

Cancel plan

This section describes how to cancel your CVAT subscription and what will happen to your data.

What will happen to my data?

Once you have terminated your subscription, your data will remain accessible within the system for a month. During this period, you will be unable to add new tasks and free plan limits will be applied.

In case you possess a substantial amount of data, it will be switched to read-only mode. It means you will not be able to save annotations, add any resources, and so on.

Following the one month, you will receive a notification requesting you to either remove the excess data or it will be deleted automatically.

How to cancel any plan?

To cancel the plan, in the top right corner, near the nickname, click on the arrow> manage plan > Cancel plan

Please, fill out the feedback form, to help us improve our platform.

How can I get a refund?

To understand if you are eligible for a refund, see Refund policy.

1. Cancel the subscription before asking for a refund.
2. Contact our support team at support@cvat.ai or use the “Support” option in the app.cvat.ai interface.
3. Provide your account details and a brief explanation of the reason for the refund:
   • Send us your last invoice.
   • Send us the username and e-mail address you’ve used to register in CVAT Online.

Our team will review your request. We may request additional information if needed. Once approved, the refund will be processed to your original payment method within 5-10 business days.

Plan renewal

To renew your CVAT Online subscription, in the top right corner, near the nickname, click on the arrow> manage plan > Renew plan.

Subscription management video tutorial

2 - Social auth configuration

Note: This is a paid feature available for Enterprise clients.

You can now easily set up authentication with popular social services, which opens doors to such benefits as:

• Convenience: you can use the existing social service credentials to sign in to CVAT.
• Time-saving: with just two clicks, you can sign in without the hassle of typing in сredentials, saving time and effort.
• Security: social auth service providers have high-level security measures in place to protect your accounts.

Currently, we offer three options:

• Authentication with Google
• Authentication with GitHub
• Authentication with Amazon Cognito

With more to come soon. Stay tuned!

Authentication with Google

To enable authentication, do the following:

1. Log in to the Google Cloud console

2. Create a project, and go to APIs & Services

3. On the left menu, select OAuth consent, then select User type (Internal or External), and click Create.

4. On the OAuth consent screen fill all required fields, and click Save and Continue.

5. On the Scopes screen, click Add or remove scopes and select auth/userinfo.email, auth/userinfo.profile, and openid. Click Update, and Save and Continue.
   For more information, see Configure Auth Consent.

6. On the left menu, click Credentials, on the top menu click + Create credentials, and select OAuth client ID.

7. From the Application Type select Web application and configure: Application name, Authorized JavaScript origins, Authorized redirect URIs.
   For example, if you plan to deploy CVAT instance on https://localhost:8080, add https://localhost:8080 to authorized JS origins and https://localhost:8080/api/auth/social/goolge/login/callback/ to redirect URIs.

8. Create configuration file in CVAT:

   1. Create the auth_config.yml file with the following content:

      ---
      social_account:
        enabled: true
        google:
          client_id: <some_client_id>
          client_secret: <some_client_secret>
      

   2. Set AUTH_CONFIG_PATH="<path_to_auth_config> environment variable.

9. In a terminal, run the following command:

   docker compose -f docker-compose.yml -f docker-compose.dev.yml -f docker-compose.override.yml up -d --build
   

Authentication with GitHub

There are 2 basic steps to enable GitHub account authentication.

1. Open the GitHub settings page.

2. On the left menu, click <> Developer settings > OAuth Apps > Register new application.
   For more information, see Creating an OAuth App

3. Fill in the name field, set the homepage URL (for example: https://localhost:8080), and authentication callback URL (for example: https://localhost:8080/api/auth/social/github/login/callback/).

4. Create configuration file in CVAT:

   1. Create the auth_config.yml file with the following content:

      ---
      social_account:
        enabled: true
        github:
          client_id: <some_client_id>
          client_secret: <some_client_secret>
      

   2. Set AUTH_CONFIG_PATH="<path_to_auth_config> environment variable.

5. In a terminal, run the following command:

   docker compose -f docker-compose.yml -f docker-compose.dev.yml -f docker-compose.override.yml up -d --build
   

Note: You can also configure GitHub App, but don’t forget to add required permissions.
In the Permission > Account permissions > Email addresses must be set to read-only.

Authentication with Amazon Cognito

To enable authentication with Amazon Cognito for your CVAT instance, follow these steps:

1. Create an Amazon Cognito pool (Optional)
2. Set up a new app client
3. Configure social authentication in CVAT

Now, let’s dive deeper into how to accomplish these steps.

Amazon Cognito pool creation

This step is optional and should only be performed if a user pool has not already been created. To create a user pool, follow these instructions:

1. Go to the AWS Management Console
2. Locate Cognito in the list of services
3. Click Create user pool
4. Fill in the required fields

App client creation

To create a new app client, follow these steps:

1. Go to the details page of the created user pool
2. Find the App clients item in the menu on the left
3. Click Create app client
4. Fill out the form as shown bellow:
   • Application type: Traditional web application
   • Application name: Specify a desired name, or leave the autogenerated one
   • Return URL (optional): Specify the CVAT redirect URL (<http|https>://<cvat_domain>/api/auth/social/amazon-cognito/login/callback/). This setting can also be updated or specified later after the app client is created.
5. Navigate to the Login pages tab of the created app client
6. Check the parameters in the Managed login pages configuration section and edit them if needed:
   • Allowed callback URLs: Must be set to the CVAT redirect URL
   • Identity providers: Must be specified
   • OAuth grant types: The Authorization code grant must be selected
   • OpenID Connect scopes: OpenID, Profile, Email scopes must be selected

Setting up social authentication in CVAT

To configure social authentication in CVAT, create a configuration file (auth_config.yml) with the following content:

---
social_account:
  enabled: true
  amazon_cognito:
    client_id: <client_id>
    client_secret: <client_secret>
    domain: <custom-domain> or
      https://<custom-cognito-prefix>.auth.us-east-1.amazoncognito.com

To find the client_id and client_secret values, navigate to the created app client page and check the App client information section. To find domain, look for the Domain item in the list on the left.

Once the configuration file is updated, several environment variables must be exported before running CVAT:

export AUTH_CONFIG_PATH="<path_to_auth_config>"
export CVAT_HOST="<cvat_host>"
# cvat_port is optional
export CVAT_BASE_URL="<http|https>://${CVAT_HOST}:<cvat_port>"

Start the CVAT enterprise instance as usual. That’s it! On the CVAT login page, you should now see the option Continue with Amazon Cognito.

3 - SSO configuration

Note: This is a paid feature available only to Enterprise clients.

CVAT supports Single Sign-On (SSO) using both OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) protocols.

To configure SSO, complete the following 2 main steps:

1. Configure the Identity Provider (IdP) — set up an application on your IdP platform.
2. Update the CVAT configuration — provide the necessary identity provider settings in the CVAT configuration file.

If the application is already configured, refer to the Configuring SSO in CVAT section. Otherwise, you may follow one of the detailed platform-specific guides to set up such an application:

• Microsoft Azure
• Okta
• Auth0
• keycloak

Platform specific IdP configuration

Microsoft Azure

OpenID Connect

Follow these steps to configure an application on the Microsoft Azure platform and integrate it with CVAT:

Step 1: Register an OIDC-based application

To start, log into your Microsoft Azure Portal. Once you’re in:

1. Navigate to the Microsoft Entra ID service -> App registrations section in the menu on the left.

2. Click on the + New registration button.

3. Enter application name.

4. Select Supported account types based on your needs.

5. Add Redirect URI: choose Web platform and set <scheme:cvat_domain>/api/auth/oidc/<idp-id:azure-oidc>/login/callback/ to the value field.

   

6. Click on the Register button.

You’ve created an app, now you should configure the credentials for it.

Step 2: Configure credentials

1. Navigate to the Overview tab of your newly created application.
2. In the Client credentials section, click the Add a certificate or secret link. This will take you to the Certificates & secrets page.
3. Click + New client secret.
4. In the popup form, enter a description and select an expiration period, then click Add.

The newly created secret will appear in the list. Make sure to copy the value now — you won’t be able to see it again later.

Step 3: Configure CVAT

Utilize the example below as a template for your configuration:

sso:
  enabled: true
  selection_mode: email_address
  identity_providers:
    - id: <idp-id:azure-oidc>
      protocol: OIDC
      name: Azure OIDC-based IdP
      server_url: https://<Directory (tenant) ID>/v2.0/
      client_id: <Secret ID>
      client_secret: <Secret Value>
      email_domain: <company_email_domain>

You can now proceed to start CVAT. For additional CVAT configuration details, refer to Configuring SSO in CVAT.

SAML

Follow these steps to configure an application on the Microsoft Azure platform and integrate it with CVAT:

Step 1: Register an SAML-based application

To start, log into your Microsoft Azure Portal. Once you’re in:

1. Navigate to the Microsoft Entra ID service -> Enterprise applications section in the menu on the left.
2. Click + New application and enter a name for the application in the popup window, then click Create.

You’ve created an app, now you should finalize its configuration and assign users or groups.

Step 2: Configure a created application

1. Navigate to the Single sign-on section in the menu on the left.
2. Choose the SAML protocol as the single sign-on method.
3. Edit Basic SAML Configuration:
   • Identifier (Entity ID): <scheme:cvat_domain>/api/auth/saml/<idp-id:azure-saml>/metadata/
   • Reply URL (Assertion Consumer Service URL): <scheme:cvat_domain>/api/auth/saml/<idp-id:azure-saml>/acs/
   • Save changes
4. Edit Attributes & Claims by adding a new uid claim:
   • Name: uid
   • Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
   • Source: attribute
   • Source attribute: user.objectid

Step 3: Assign users and groups

At this point, no users or groups have been assigned to the application. To grant access:

1. Navigate to the Users and groups section of the application.
2. Click the + Add user/group button.
3. Select the users or groups you want to assign.
4. Confirm selection.

The selected users or groups will now appear in the assignment list.

That’s it, now we can move on to the configuration in CVAT.

Step 4: Configure CVAT

Utilize the example below as a template for your configuration:

sso:
  enabled: true
  selection_mode: email_address
  identity_providers:
    - id: <idp-id:azure-saml>
      protocol: SAML
      name: Azure SAML-based IdP
      entity_id: <Microsoft Entra Identifier> (https://sts.windows.net/<tenantId>/)
      metadata_url: <App Federation Metadata Url>

      attribute_mapping:
        uid: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uid
        username: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        first_name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
        last_name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
        # email_verified: it is not possible to configure SAML-based application to send this claim to the SP

      email_domain: <company_email_domain>

You can now proceed to start CVAT. For additional CVAT configuration details, refer to Configuring SSO in CVAT.

Okta

OpenID Connect

Follow these steps to configure an application on the Okta platform and integrate it with CVAT:

Step 1: Register an OIDC-based application

To start, log into your Okta admin dashboard. Once you’re in:

1. Navigate to the Applications section in the menu on the left.

2. Click on the Create App integration button.

3. Select OIDC - OpenID Connect as a sign-in method and Web Application type.

4. Fill the form with the following content:

   • App integration name: enter a name for the application
   • Sign-in redirect URIs: <scheme:cvat_domain>/api/auth/oidc/<idp-id:okta-oidc>/login/callback/
   • Select option in the Controlled access to match your requirements. In this example, we’ll use Skip group assignment for now.

   

You’ve created and configured the app, now you should assign users or groups to the application.

Step 2: Assign users or groups

At this point, no users or groups have been assigned to the application. To grant access:

1. Navigate to the Assignments tab of the application.
2. Click the Assign button and select Assign to People or Assign to Groups based on your needs.
3. Identify the users or groups you want to assign, then click assign.

The selected users or groups will now appear in the assignment list.

Step 3: Configure CVAT

Utilize the example below as a template for your configuration:

sso:
  enabled: true
  selection_mode: email_address
  identity_providers:
    - id: <idp-id:okta-oidc>
      protocol: OIDC
      name: Okta OIDC-based IdP
      server_url: https://<okta_domain>/
      client_id: <client_id>
      client_secret: <client_secret>
      email_domain: <company_email_domain>

Tip

Actual Client ID and Client secret key values may be found on the General tab of the created application

You can now proceed to start CVAT. For additional CVAT configuration details, refer to Configuring SSO in CVAT.

SAML

Follow these steps to configure an application on the Okta platform and integrate it with CVAT:

Step 1: Register an SAML-based application

To start, log into your Okta admin dashboard. Once you’re in:

1. Navigate to the Applications section in the menu on the left.

2. Click on the Create App integration button.

3. Select SAML 2.0 as a sign-in method, then click Next.

4. Fill the form with the general settings and go to the next configuration step.

5. On the Configure SAML form set the following fields:

   • Single sign-on URL: <scheme:cvat_domain>/api/auth/saml/<idp-id:okta-saml>/acs/
   • Audience URI (SP Entity ID: <scheme:cvat_domain>/api/auth/saml/<idp-id:okta-saml>/metadata/

6. Define attribute statements that will be shared with CVAT. In our example we will use the Basic attribute name format and set the mapping as shown below:

   • firstName: user.firstName
   • lastName: user.lastName
   • username: user.login
   • email: user.email
   • uid: user.getInternalProperty("id")

   

   Tip

   If attribute mapping needs to be adapted, follow the official documentation on how to configure Attribute Statements

7. Navigate to the next configuration step and fill the Feedback form.

You’ve created and configured the app. You can now either complete an optional step to simplify the login process in CVAT or proceed directly to the CVAT configuration step.

Step 2: Simplify login process

If CVAT is configured to require email verification, it expects the Identity Provider to include the email_verified claim. However, Okta does not send this claim by default. As a result, users will receive a confirmation email with a verification link.

There is an option to include email verification claim on the sign-in step:

1. Add one more mapping emailVerified -> user.emailVerified on SAML-based application configuration step:
   1. Navigate to the SAML Settings on the General tab and click Edit.
   2. Add one more attribute mapping as it was described in the app configuration step.
2. Add custom user attribute emailVerified:
   • Navigate to the Directory section in the menu on the left -> Profile Editor item
   • Select the default user profile from the list (User (default))
   • Click + Add Attribute
   • Fill out the form with your desired values, making sure to select the boolean data type
   • Click Save
3. Update user profiles:
   • Navigate to the People section in the menu on the left
   • Set the value for the recently created attribute for each person

Step 3: Configure CVAT

Utilize the example below as a template for your configuration:

sso:
  enabled: true
  selection_mode: email_address
  identity_providers:
    - id: <idp-id:okta-saml>
      protocol: SAML
      name: Okta SAML-based Identity Provider
      entity_id: <Issuer>
      metadata_url: <Metadata URL>

      attribute_mapping:
        uid: uid
        username: username
        email: email
        first_name: firstName
        last_name: lastName
        email_verified: emailVerified # if configured

      email_domain: <company_email_domain>

Tip

Metadata URL and Issuer values may be found on the Sign On tab of the application setting

You can now proceed to start CVAT. For additional CVAT configuration details, refer to Configuring SSO in CVAT.

Auth0

OpenID Connect

Follow these steps to configure an application in the Auth0 platform and integrate it with CVAT:

Step 1: Register an OIDC-based application

To start, log into your Auth0 dashboard. Once you’re in:

1. Navigate to the Applications section in the menu on the left, click + Create Application.
2. Enter a name for the application and choose the Regular Web Applications type, then click Create.

You’ve created an app, now you should finalize its configuration.

Step 2: Configure a created application

1. In the Settings tab of your new application, scroll down to the Application URIs section.
2. Add <scheme:cvat_domain>/api/auth/oidc/<idp-id:auth0-oidc>/login/callback/ to the Allowed Callback URLs.
3. Save changes.

That’s it, now we can move on to the configuration in CVAT.

Step 3: Configure CVAT

Utilize the example below as a template for your configuration:

sso:
  enabled: true
  selection_mode: email_address
  identity_providers:
    - id: <idp-id:auth0-oidc>
      protocol: OIDC
      name: Auth0 OIDC-based IdP
      server_url: https://<auth0_domain>/
      client_id: <client_id>
      client_secret: <client_secret>
      email_domain: <company_email_domain>

Tip

Client ID, Client Secret and Domain can be found in the Basic Information section of application settings

You can now proceed to start CVAT. For additional CVAT configuration details, refer to Configuring SSO in CVAT.

SAML

Follow these steps to configure an application in the Auth0 platform and integrate it with CVAT:

Step 1: Register an SAML-based application

To start, log into your Auth0 dashboard. Once you’re in:

1. Navigate to the Applications section in the menu on the left, click + Create Application.
2. Enter a name for the application and choose the Regular Web Applications type, then click Create.

You’ve created an app, now you should finalize its configuration.

Step 2: Configure a created application

1. Navigate to the Addons tab of the created application and click on the SAML2 WEB APP button.

2. Open the Settings tab in the popup window and set the following configuration:

   • Application Callback URL: <scheme:cvat_domain>/api/auth/saml/<idp-id:auth0-saml>/acs/
   • Settings: enter a JSON object like the following:

   {
     "audience": "<scheme:cvat_domain>/api/auth/saml/<idp-id:auth0-saml>/metadata/",
     "recipient": "<scheme:cvat_domain>/api/auth/saml/<idp-id:auth0-saml>/acs/",
     "destination": "<scheme:cvat_domain>/api/auth/saml/<idp-id:auth0-saml>/acs/",
     "mappings": {
       "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
       "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
       "nickname": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username",
       "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
       "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
       "email_verified": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailverified"
     },
     "createUpnClaim": false,
     "passthroughClaimsWithNoMapping": false,
     "mapIdentities": false
   }
   

3. Scroll down and click Enable.

That’s it, now we can move on to the configuration in CVAT.

Step 3: Configure CVAT

Utilize the example below as a template for your configuration:

sso:
  enabled: true
  selection_mode: email_address
  identity_providers:
    - id: <idp-id:auth0-saml>
      protocol: SAML
      name: Auth0 SAML-based IdP
      entity_id: <Issuer>
      metadata_url: <Metadata URL>

      attribute_mapping:
        uid: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        username: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username
        email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        first_name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
        last_name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
        email_verified: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailverified

      email_domain: <company_email_domain>

Tip

Actual Metadata URL and Issuer values may be found on the Usage tab of the SAML2 Web App plugin

You can now proceed to start CVAT. For additional CVAT configuration details, refer to Configuring SSO in CVAT.

Keycloak

To configure SSO in terms of Keycloak we need to create a client.

OpenID Connect

Follow these steps to do that:

Step 1: Register an OIDC-based client

To start, go to the Keycloak service (by default it is listening for HTTP and HTTPS requests using the ports 8080 and 8443, respectively) and log into your admin account. Once you’re in:

1. Under the desired realm navigate to the Clients section and click create client.
2. Fill out the general client settings:
   • Client type: OpenID Connect
   • Client ID: enter client identifier
   • Enter a name for the client, e.g. OIDC-based client
3. In the next step, enable the Client authentication toggle.
4. In the Login settings section, provide the following values:
   • Home URL: <scheme:cvat_domain>
   • Valid redirect URIs: <scheme:cvat_domain>/api/auth/oidc/<idp-id:keycloak-oidc>/login/callback/
   • Web origins: <scheme:cvat_domain>

That’s it, now we can move on to the configuration in CVAT.

Step 2: Configure CVAT

Utilize the example below as a template for your configuration:

sso:
  enabled: true
  selection_mode: email_address
  identity_providers:
    - id: <idp-id:keycloak-oidc>
      protocol: OIDC
      name: Keycloak OIDC-based Identity Provider
      server_url: <scheme:keycloak_domain>/realms/<custom_realm>/.well-known/openid-configuration
      client_id: <Client ID>
      client_secret: <Client Secret>
      email_domain: <company_email_domain>

Tip

Actual Client Secret value can be found on the Credentials tab of the created OIDC client

You can now proceed to start CVAT. For additional CVAT configuration details, refer to Configuring SSO in CVAT.

SAML

Follow these steps to configure a client:

Step 1: Register a SAML-based client

To start, go to the Keycloak service (by default it is listening for HTTP and HTTPS requests using the ports 8080 and 8443, respectively) and log into your admin account. Once you’re in:

1. Under the desired realm navigate to the Clients section and click create client.
2. Fill out the general client settings:
   • Client type: SAML
   • Set the Clint ID the URL: <scheme:cvat_domain>/api/auth/saml/<idp-id:keycloak-saml>/metadata/
   • Enter a name for the client, e.g. SAML client
3. In the Login settings section, provide the following values:
   • Home URL: <scheme:cvat_domain>
   • Valid redirect URIs: <scheme:cvat_domain>/api/auth/saml/<idp-id:keycloak-saml>/acs/

You’ve created a client, now you should finalize its configuration.

Step 2: Configure a created client

1. Navigate to the general settings of the created client, scroll down to the SAML capabilities section.
2. Update the following parameters:
   • Name ID format: email
   • Force name ID format: On
3. Navigate to the Keys tab and enable the Client signature required toggle.
4. Configure attributes & claims:

   1. Navigate to the Client scopes tab on the created client -> dedicated scopes for the client. You will see that there is no configured mappers.

   2. Set up mappers for the following attributes:

      • uid
      • first_name
      • last_name
      • username
      • email

      For attributes like email, first name, and last name, you can either

      • Use the predefined mappers
      • Or follow the manual configuration steps to create them yourself.

      To configure other mappers click Configure a new mapper if it is a first mapper or Add mapper -> By configuration and then select User Property.

      For instance, to configure a mapper for the username attribute, fill in the form as it is done below:

      • Name: username
      • Property: username
      • SAML Attribute Name: usernameAttribute

That’s it, now we can move on to the configuration in CVAT.

Step 3: Configure CVAT

Utilize the example below as a template for your configuration:

sso:
  enabled: true
  selection_mode: email_address
  identity_providers:
    - id: <idp-id:keycloak-saml>
      protocol: SAML
      name: Keycloak SAML-based Identity Provider
      entity_id: <scheme:keycloak_domain>/realms/<custom_realm>
      metadata_url: <scheme:keycloak_domain>/realms/<custom_realm>/protocol/saml/descriptor

      attribute_mapping:
        uid: uidAttribute
        email_verified: emailVerifiedAttribute
        email: emailAttribute
        last_name: lastNameAttribute
        first_name: firstNameAttribute
        username: usernameAttribute

      email_domain: <company_email_domain>

Tip

Actual Metadata URL may be found in the Realm settings on the General tab

You can now proceed to start CVAT. For additional CVAT configuration details, refer to Configuring SSO in CVAT.

Configuring SSO in CVAT

CVAT provides a dedicated configuration file to customize the login and registration flow. The sso section of this file specifies which external Identity Provider (IdP) integrations are enabled. To set up SSO, you typically create a custom YAML configuration file (e.g., auth_config.yml) and supply its path when starting CVAT.

SSO settings

---
sso:
  enabled: true|false
  selection_mode: email_address|lowest_weight
  enable_pkce: true|false
  ...

IdP Configuration Structure

To integrate an Identity Provider, you must define its configuration block under the identity_providers section in the CVAT config file. Each provider’s configuration includes both general and protocol-specific settings.

Additionally, each IdP configuration must include several protocol-specific parameters:

• OpenID Connect
• SAML

Below are examples of SSO configuration file for both protocols:

• Integrate OIDC-based IdP
• Integrate SAML-based IdP

---
sso:
  enabled: true
  selection_mode: email_address
  identity_providers:
    - id: oidc-idp
      protocol: OIDC
      name: OIDC-based IdP
      server_url: https://example.com
      client_id: xxx
      client_secret: xxx
      email_domain: example.com

 ---
 sso:
   enabled: true
   selection_mode: lowest_weight
   identity_providers:
     - id: saml-idp
       protocol: SAML
       name: SAML-based IdP
       entity_id: <idp-entity-id>
       weight: 1
       # specify only metadata_url or sso_url and x509_cert
       metadata_url: http://example.com/path/to/saml/metadata/
       sso_url: <Login URL>
       x509_cert: |
         -----BEGIN CERTIFICATE-----
         certificate content
         -----END CERTIFICATE-----         

       attribute_mapping:
         uid: uidAttribute
         email_verified: emailVerifiedAttribute
         email: emailAttribute
         last_name: lastNameAttribute
         first_name: firstNameAttribute
         username: usernameAttribute

More information about OIDC-based and SAML-based IdP configuration expected by Django Allauth can be found here and here respectively.

Start CVAT

Once the configuration file is created, several environment variables must be exported before running CVAT:

export AUTH_CONFIG_PATH="<path_to_auth_config>"
export CVAT_HOST="<cvat_host>"
# cvat_port is optional
export CVAT_BASE_URL="<http|https>://${CVAT_HOST}:<cvat_port>"

Start the CVAT Enterprise instance as usual.

That’s it! The CVAT login page now should have the Continue with SSO option, allowing users to authenticate using the configured Identity Provider.

4 - Shapes converter

The shapes converter is a feature that enables bulk actions on filtered shapes. It allows you to perform mutual conversion between masks, polygons and rectangles.

Note: All shapes converter work only when the filter is set up.

See:

• Run actions menu
• Convert shapes
• Convert shapes video tutorial

Run actions menu

Annotations actions can be accessed from the annotation menu. To access it, click on the burger icon and then select Run actions.

Note: All Shapes converter functions work in alignment with set up filter.

You will see the following dialog:

With the following fields:

Convert shapes

Recommended Precautions Before Running Annotation Actions

• Saving changes: It is recommended to save all changes prior to initiating the annotation action. If unsaved changes are detected, a prompt will advise to save these changes to avoid any potential loss of data.

• Disable auto-save: Prior to running the annotation action, disabling the auto-save feature is advisable. A notification will suggest this action if auto-save is currently active.

• Committing changes: Changes applied during the annotation session will not be committed to the server until the saving process is manually initiated. This can be done either by the user or through the auto-save feature, should it be enabled.

To convert shapes, do the following:

1. Annotate your dataset.

   

2. Set up filters.

   

3. From the burger menu, select Run actions.

4. Choose the action you need from the Select action drop-down list.

5. (Optional) In the Starting from frame field, enter the frame number where the action should begin, and in the up to frame field, specify the frame number where the action should end.

6. (Optional) Select an option from Or choose one of the predefined options to apply the action.

7. Click Run.
   A progress bar will appear. You may abort the process by clicking Cancel until the process commits modified objects at the end of pipeline.

   

Note: Once the action is applied, it cannot be undone.

Convert shapes video tutorial

5 - Immediate job feedback

Overview

The basic idea behind this feature is to provide annotators with quick feedback on their performance in a job. When an annotator finishes a job, a dialog is displayed showing the quality of their annotations. The annotator can either agree or disagree with the feedback. If they disagree, they have the option to re-annotate the job and request feedback again.

To ensure transparency with the annotator, the immediate feedback shows the computed score and the minimum required score. Information about the specific errors or frames that have errors is not available to annotators.

Feedback is only available a limited number of times for each assignment, to prevent Ground Truth revealing by annotators. This is controlled by a configurable parameter, so it can be adjusted to the requirements of each project.

How to configure

Immediate feedback settings, such as Target metric, Target metric threshold, Max validations per job and others, can be configured on the quality settings page.

This feature is considered enabled if the Max validations per job is above 0. You can change the parameters any time.

Note: This feature requires a configured validation set in the task. Read more in the quality overview section or in the full guide.

1. Open the task Actions menu > Quality control > Settings

2. Set the Target metric and Target metric threshold values to what is required in your project.
3. Set Max validations per job to above zero. 3 is a good starting number.
4. Save the updated settings

How to receive a feedback

1. Assign an annotator to an annotation job
2. Annotate the job
3. Mark the job finished using the corresponding button in the menu
4. Once the job is completed, you’ll see the job validation dialog

Each assignee gets no more than the specified number of validation attempts.

Note: this functionality is only available in regular annotation jobs. For instance, it’s not possible to use it in Ground Truth jobs.

Available feedbacks

There are three types of feedbacks available for different cases:

• Accepted
• Rejected, with an option to fix mistakes
• Finally rejected when the number of attempts is exhausted

Additional details

Immediate feedback has a default timeout of 20 seconds. Feedback may be unavailable for large jobs or when there are too many immediate feedback requests. In this case annotators do not see any feedback dialogs and annotate jobs as if the feature was disabled.

The number of attempts does not decrease for staff members who have access to a job with ground truth annotations. For instance, if you’re trying to test this feature as the task owner, you may be confused if you see the number of attempts doesn’t decrease.

The number of attempts resets when the job assignee is updated.

6 - Segment Anything 2 Tracker

Overview

Segment Anything 2 is a segmentation model that allows fast and precise selection of any object in videos or images. For enterprise customers, this model can be installed in their self-hosted solution. To ensure a good experience, it is strongly recommended to deploy the model using a GPU. Although it is possible to use a CPU-based version, it generally performs much slower and is suitable only for handling a single parallel request. Unlike a regular tracking model, the SAM 2 tracker is implemented as an annotation action. This allows it to be applied to existing objects (polygons and masks) to track them forward for a specified number of frames.

How to install

Note: This feature is not available in the community CVAT version.

Note: This feature requires the enhanced actions UI plugin, which is enabled by default. Usually, no additional steps are necessary on this.

Docker

You can use existing scripts from the community repository (./serverless/deploy_cpu.sh or ./serverless/deploy_gpu.sh). To deploy the feature, simply run:

./serverless/deploy_gpu.sh "path/to/the/function"

Kubernetes

• You need to deploy the Nuclio function manually. Note that this function requires a Redis storage configured to keep the tracking state. You may use the same storage as cvat_redis_ondisk uses. When running the nuclio deploy command, make sure to provide the necessary arguments. The minimal command is:

nuctl deploy "path/to/the/function"
  --env CVAT_FUNCTIONS_REDIS_HOST="<redis_host>"
  --env CVAT_FUNCTIONS_REDIS_PORT="<redis_port>"
  --env CVAT_FUNCTIONS_REDIS_PASSWORD="<redis_password>" # if applicable

Running on an object

The tracker can be applied to any polygons and masks. To run the tracker on an object, open the object menu and click “Run annotation action”.

Alternatively, you can use a hotkey: select the object and press Ctrl + E (default shortcut). When the modal opened, in “Select action” list, choose Segment Anything 2: Tracker:

Specify the target frame until which you want the object to be tracked, then click the Run button to start tracking. The process begins and may take some time to complete. The duration depends on the inference device, and the number of frames where the object will be tracked.

Once the process is complete, the modal window closes. You can review how the object was tracked. If you notice that the tracked shape deteriorates at some point, you can adjust the object coordinates and run the tracker again from that frame.

Running on multiple objects

Instead of tracking each object individually, you can track multiple objects simultaneously. To do this, click the Menu button in the annotation view and select the Run Actions option:

Alternatively, you can use a hotkey: just press Ctrl + E (default shortcut) when there are no objects selected. This opens the actions modal. In this case, the tracker will be applied to all visible objects of suitable types (polygons and masks). In the action list of the opened model, select Segment Anything 2: Tracker:

Specify the target frame until which you want the objects to be tracked, then click the Run button to start tracking. The process begins and may take some time to complete. The duration depends on the inference device, the number of simultaneously tracked objects, and the number of frames where the object will be tracked.

Once the process finishes, you may close the modal and review how the objects were tracked. If you notice that the tracked shapes deteriorate, you can adjust their coordinates and run the tracker again from that frame (for a single object or for many objects).

Tracker parameters

• Target frame: Objects will be tracked up to this frame. Must be greater than the current frame
• Convert polygon shapes to tracks: When enabled, all visible polygon shapes in the current frame will be converted to tracks before tracking begins. Use this option if you need tracks as the final output but started with shapes, produced for example by interactors (e.g. SAM2 or another one).