Set up SAML Single Sign-On (SSO)

Last updated:

Warning: The following instructions allow you to configure SAML SSO for the first time without help from Pendo Support. If you have one or more existing SAML SSO configurations that you want to add to or edit, contact Pendo Support instead.

This article describes how to set up and use SAML (Security Assertion Markup Language) Single Sign-On (SSO) for signing in to Pendo.

SAML is a widely adopted standard for enabling SSO. In Pendo, SAML allows users to authenticate through your organization's identity provider (IdP), instead of using a traditional email and password. 

For an overview of SAML SSO, including a glossary of terms, see SAML Single Sign-On (SSO) overview.

Prerequisites

SAML authentication has the following requirements:

  • SAML SSO access included in your current Pendo contract. Contact your Pendo representative if you need to confirm or add SAML SSO to your contract.
  • A SAML Identity Provider (for example, Okta).
  • A list of all user ID email domains allowed to access the subscription.
  • A SAML admin who's able to manage IdP metadata, provide SAML metadata, and make access decisions for the subscription.

Step 1. Verify your domain with Pendo

Before you can add your SSO configuration to Pendo, you must verify your domain to show that you own it. You can only assign a SAML configuration to a verified domain, which means you can't complete the SAML SSO setup until you've verified one or more domain you want to use. For instructions, see Verify your domain.

Step 2. Create a SAML application in your IdP

Sign in to your IdP and create a SAML application for Pendo. Doing this creates an integration that allows Pendo to connect to your IdP for authentication.

The process for creating a SAML application can vary depending on your IdP. Check your IdP marketplace for a pre-configured SAML application for Pendo. If this is unavailable, create a generic SAML 2.0 application instead.

During setup, you must provide service provider (Pendo) metadata, including the ACS URL and Entity ID. For information about this configuration information, see the Glossary of terms in the SAML Single Sign-On (SSO) overview.

Pendo's SAML SP metadata file is available in Pendo SAML metadata and certificates. For steps on how to input Pendo's metadata into your IdP, refer to your IdP's documentation.

The SP Entity must be globally unique within your IdP. If another vendor is already set up to use the same Entity ID as Pendo, you might get a message stating that the Entity ID is already in use. To get a different Entity ID, contact Pendo Support.

Step 3. Obtain XML metadata

IdPs provide a plain-text XML file that can be shared with Pendo during the configuration process (Step 4). Some providers, such as Okta and Azure, provide a public URL that points to your metadata. You can share this instead of downloading the file. Depending on how you want to share your XML metadata with Pendo, either:

  • Copy the public URL if your provider has one (preferred).
  • Download your SAML IdP metadata XML file.

Step 4. Configure SAML SSO in Pendo

When your domain is verified, indicated by a status of Active in the Domain verification table in organization settings, add your SSO configuration to Pendo:

  1. In Pendo, go to Settings > Organization settings.
  2. Open the SSO tab.
  3. Select + Add new configuration.
  4. Use the Domain dropdown menu to select the domain that you verified in Step 1.
  5. Select your IdP.
  6. Select how you want to share your metadata XML with Pendo, which can be either:
    • URL (preferred), which is provided by your IdP.
    • Metadata (XML), which is an XML file that you download from your IdP.
  7. Optionally, select Sign AuthNRequest according to your business needs and policies.
  8. Enter a Technical contact. This should be an email address for someone or a team that manages the IdP at your organization. 
  9. Select Save configuration. The configuration is added to the SAML Configurations table in the SSO tab. 
  10. Verify that the configuration is set up correctly by attempting to sign in on another browser. If you can't sign in, modify the configuration and repeat the process from steps 4 to 10, ensuring that you have the most up-to-date metadata XML file from your IdP.

If you or other users can't sign in, or if you can't set up the configuration correctly, contact Pendo Support.

If you need any of the following additional options activated, contact Pendo Support. For information about these options, see SAML Single Sign-On (SSO) overview.

  • Enforce SAML for the subscription to turn off email and password login for users. Users can only use SAML to sign in.
  • Turn off email and password login for users with your domain to any subscription. Users within the domain use SAML to sign in, and users outside the domain can use email and password to sign in.
  • Enforce SAML in the subscription and enforce globally for the domain for higher security.

Step 5. Invite users to Pendo with SAML SSO

Users must be manually added to the Pendo subscription to authenticate with your IdP. Pendo administrators can add users by navigating to Settings > Users and selecting + New User. The username in Pendo must match the username in the IdP, including case sensitivity.

If the subscription requires SAML, the user profile is added to the list of Pendo users when you select Add User and submit the form. The user is authenticated with the IdP automatically and doesn't need to accept the invitation email to be granted access.

If you configure but don't yet enforce SAML (aren't forcing your users to sign in with SAML SSO), the user must provide a password to complete the setup. After they've successfully added their account, they're given the option to sign in with SAML from the password page.

Was this article helpful?
0 out of 1 found this helpful