Set up SAML single sign-on (SSO)

Administration

Enterprise plan

Available from 18.0.0

Needed permissions: owner

SAML single sign-on (SSO) simplifies the login process for you and other users on your Piwik PRO account. It allows you to access the account through an identity provider (IdP) of your choice. With SSO, you can use the same login credentials (username and password) to log in to multiple applications. There’s no need to remember or enter separate login information for each application. You only need to log in once, and then you can access all the connected systems without re-entering your credentials every time.

This has several benefits. It improves security because users have fewer passwords to remember. It also helps in enforcing security policies, monitoring user activity and revoking access when necessary.

In this article, we’ll guide you through the process of setting up SSO on your Piwik PRO account.

Before you start

Here are some important things to keep in mind before you start:

  • Your identity provider (IdP) determines which users can access Piwik PRO. When a user successfully logs in for the first time, Piwik PRO will automatically create their user account (unless they have already been invited to your Piwik PRO account).
  • Permissions set in SSO aren’t automatically transferred to Piwik PRO. As a result, you have to manually set permissions for users in Piwik PRO.

Set up and turn on SSO

To set up SAML single sign-on (SSO) on your account, follow these steps:

  1. Log in to Piwik PRO.
  2. Go to Menu > Administration.
  3. Navigate to Account.
  4. On the left, click Account settings.
  5. In SAML authentication, click SAML single sign-on setup.
    SAML single sign-on (SSO) in Piwik PRO
  6. Copy and paste the metadata URL into your identity provider.
    SAML single sign-on (SSO) in Piwik PRO

    Note: Perhaps the IdP documentation will help you: ADFS, Google, Azure AD, Okta, OneLogin and PingOne.

  7. Choose how the SAML response from your IdP is signed. Options include assertion, assertion and response, or response. We’ll use this method to verify the signature.
    SAML single sign-on (SSO) in Piwik PRO
  8. Add SAML details from your identity provider:
    • Sign-on URL: Your SAML endpoint. Your provider names this field as: Login URL (Azure), Sign on URL (Okta), SAML 2.0 Endpoint (HTTP) (OneLogin), SSO endpoint (PingOne), SSO URL (Google).
    • Issuer: Your identity provider identifier. Your provider names this field as: Azure AD Identifier (Azure), Issuer (Okta), Issuer URL (OneLogin), Issuer ID (PingOne), Entity ID (Google).
    • x509 certificate: A certificate from your SAML that is used to establish secure communication between SAML and Piwik PRO.
    SAML single sign-on (SSO) in Piwik PRO
  9. Click Test SAML setup and Piwik PRO will check your setup.
  10. If the setup is correct, a new window will open and you’ll be asked to log in with your identity provider’s credentials. Once that’s done, the window will close.
  11. When you’re ready, click Turn on.
    SAML single sign-on (SSO) in Piwik PRO
  12. All done! Piwik PRO will now log out all users and ask them to use their IdP account to log back in.

Turn off SSO

If you ever need to turn off SSO on your account, you can do so in the settings. Turning it off won’t remove your SAML SSO setup.

To turn off SAML single sign-on (SSO) on your account, follow these steps:

  1. Log in to Piwik PRO.
  2. Go to Menu > Administration.
  3. Navigate to Account.
  4. On the left, click Account settings.
  5. In SAML authentication, click SAML single sign-on setup to access its settings.
  6. Click Turn off at the bottom of the settings.
    SAML single sign-on (SSO) in Piwik PRO
  7. Done! Piwik PRO will now log out all users and ask them to use Piwik PRO passwords. If they don’t have a password or forgot it, they can reset it on the login page.

    Note: Your SAML SSO setup will remain unchanged. You’ll be able to turn SSO back on at any time.

Delete SAML single sign-on (SSO)

In case you ever want to remove SAML single sign-on (SSO) from your account, you can do so in the settings.

To delete SAML single sign-on (SSO), follow these steps:

  1. Log in to Piwik PRO.
  2. Go to Menu > Administration.
  3. Navigate to Account.
  4. On the left, click Account settings.
  5. In SAML authentication, click SAML single sign-on setup to access its settings.
  6. Click Delete at the bottom of the settings.
    SAML single sign-on (SSO) in Piwik PRO
  7. All Done! Piwik PRO will now log out all users and ask them to use Piwik PRO passwords. If they don’t have a password or forgot it, they can reset it on the login page.

    Note: Your SAML SSO setup will be permanently deleted. If you ever change your mind and decide to re-enable it, you will need to set it up from scratch.

Was this article helpful?

Technical support

If you still have any questions, visit our community.
There’s always someone happy to help!

Back to help center