SAML single sign-on (SSO) simplifies the login process for you and other users on your Piwik PRO account. It allows you to access the account through an identity provider (IdP) of your choice. With SSO, you can use the same login credentials (username and password) to log in to multiple applications. There’s no need to remember or enter separate login information for each application. You only need to log in once, and then you can access all the connected systems without re-entering your credentials every time.
This has several benefits. It improves security because users have fewer passwords to remember. It also helps in enforcing security policies, monitoring user activity and revoking access when necessary.
In this article, we’ll guide you through the process of setting up SSO on your Piwik PRO account.
Before you start
Here are some important things to keep in mind before you start:
- Your identity provider (IdP) determines which users can access Piwik PRO. When a user successfully logs in for the first time, Piwik PRO will automatically create their user account (unless they have already been invited to your Piwik PRO account).
- Permissions set in SSO aren’t automatically transferred to Piwik PRO. As a result, you have to manually set permissions for users in Piwik PRO.
Set up and turn on SSO
To set up SAML single sign-on (SSO) on your account, follow these steps:
- Log in to Piwik PRO.
- Go to Menu > Administration.
- Navigate to Account.
- On the left, click Account settings.
- In SAML authentication, click SAML single sign-on setup.
- Copy and paste the metadata URL into your identity provider.
- Choose how the SAML response from your IdP is signed. Options include assertion, assertion and response, or response. We’ll use this method to verify the signature.
- Add SAML details from your identity provider:
- Sign-on URL: Your SAML endpoint. Your provider names this field as: Login URL (Azure), Sign on URL (Okta), SAML 2.0 Endpoint (HTTP) (OneLogin), SSO endpoint (PingOne), SSO URL (Google).
- Issuer: Your identity provider identifier. Your provider names this field as: Azure AD Identifier (Azure), Issuer (Okta), Issuer URL (OneLogin), Issuer ID (PingOne), Entity ID (Google).
- x509 certificate: A certificate from your SAML that is used to establish secure communication between SAML and Piwik PRO.
- Click Test SAML setup and Piwik PRO will check your setup.
- If the setup is correct, a new window will open and you’ll be asked to log in with your identity provider’s credentials. Once that’s done, the window will close.
- When you’re ready, click Turn on.
- All done! Piwik PRO will now log out all users and ask them to use their IdP account to log back in.
Turn off SSO
If you ever need to turn off SSO on your account, you can do so in the settings. Turning it off won’t remove your SAML SSO setup.
To turn off SAML single sign-on (SSO) on your account, follow these steps:
- Log in to Piwik PRO.
- Go to Menu > Administration.
- Navigate to Account.
- On the left, click Account settings.
- In SAML authentication, click SAML single sign-on setup to access its settings.
- Click Turn off at the bottom of the settings.
- Done! Piwik PRO will now log out all users and ask them to use Piwik PRO passwords. If they don’t have a password or forgot it, they can reset it on the login page.
Note: Your SAML SSO setup will remain unchanged. You’ll be able to turn SSO back on at any time.
Delete SAML single sign-on (SSO)
In case you ever want to remove SAML single sign-on (SSO) from your account, you can do so in the settings.
To delete SAML single sign-on (SSO), follow these steps:
- Log in to Piwik PRO.
- Go to Menu > Administration.
- Navigate to Account.
- On the left, click Account settings.
- In SAML authentication, click SAML single sign-on setup to access its settings.
- Click Delete at the bottom of the settings.
- All Done! Piwik PRO will now log out all users and ask them to use Piwik PRO passwords. If they don’t have a password or forgot it, they can reset it on the login page.
Note: Your SAML SSO setup will be permanently deleted. If you ever change your mind and decide to re-enable it, you will need to set it up from scratch.