SAML Single Sign-On (SSO) Overview

Pendo supports SAML 2.0. This article describes the SAML configuration process for both IdP-initiated and SP-initiated login flows.

Overview

SAML (Security Assertion Markup Language) is a standard for Single Sign-On (SSO). SAML allows your users to sign in to a Service Provider (SP), such as Pendo, using your enterprise SSO Identity Provider (IdP) instead of their email and password.

Your organization can run its own SAML server to authenticate users. You control password strength, two-factor authentication, and access for all of your SAML-enabled SaaS apps in one place.

Users can access Pendo from the IdP-initiated login or with the SSO button (SP-initiated login) on the Pendo login page. Either way, your IdP provides the authorization for users to access Pendo.

Additional configuration options in Pendo SAML setup give you more control over how users access your subscriptions or Pendo overall. Pendo supports IdP or SP-initiated login, mandatory SAML use per subscription, and mandatory SAML use for your domain.

Current SAML certificates are available in Pendo SAML Signing Certificate Update - April 19, 2027. This includes Pendo's SP metadata.

Requirements

SAML authentication has the following requirements:

  • SAML SSO Access included in your current Pendo Contract.
  • A third-party SAML Identity Provider (for example, Google, Okta, OneLogin, Azure)
  • A list of all user ID email domains allowed to access the subscription.
  • A SAML admin able to manage IdP metadata, provide SAML metadata, and make access decisions for the subscription.
  • One IdP per email domain or subdomain.

Configure SAML SSO

SAML SSO is an additional paid service that's enabled for a subscription after your technical SME and Pendo Support share metadata and configure access controls. Each IdP has different steps for setting up their platform, and for extracting and uploading metadata. Refer to your IdP for specific instructions.

The instructions that follow focus on the steps to enable SSO in Pendo. A technical SME familiar with your IdP's platform should be able to complete the setup process. 

1. Ensure that you have SAML SSO Access for your subscription. Contact your Pendo Representative if you need to confirm or add SAML SSO to your contract.

2. Log in to your IdP and download your SAML IdP Metadata XML file or provide the public URL if your provider has one.

3. Send the Metadata XML file or URL and all user ID email domains that will use SSO for your subscription to Pendo Support. Pendo Support then sends you your DNS verification record for you to add to your domain.

4. Add the DNS verification record (proof of control) to your domain. This is required before we can progress with the SAML configuration.

5. Notify Pendo Support when the DNS verification record is updated. Pendo Support then prepares your subscription for SAML and emails you the Pendo SP metadata, which includes your ACS URL, Issuer (entity ID), Default Relay State, and Login URLs.

6. Add the ACS URL and Issuer ID to your IdP. Default Relay State might be optional for your provider.

7. Notify Pendo Support when ACS URL and Issuer ID are updated. Pendo finishes the configuration and activates SSO.

We can make SSO required per domain or per subscription. Making SSO required on the domain forces users to sign in with SAML regardless of the subscription they belong to. All emails domains in the subscription must also have SAML configured.

Contact Pendo Support if you need any of the following additional options activated.

  • Disable email and password login for users in the subscription. Users can still use SAML to sign in.
  • Disable email and password login for users with your domain to any subscription. Users can still use SAML to sign in.
  • Set SAML in the subscription and require globally for the domain for higher security.

Invite Users to Pendo with SAML SSO

Users must be manually added to the Pendo subscription to authenticate with your IdP. Pendo administrators can add users by navigating to Settings > Users and selecting + New User.

The email must match the email used by the IdP exactly. This is case sensitive.

If the subscription requires SAML, the user profile is added to the list of Pendo users when you select Add User and submit the form. The user is authenticated with the IdP automatically and doesn't need to accept the invitation email to be granted access.

If you configure but don't yet require SAML (aren't forcing your users to sign in with SAML SOO), the user must provide a password to complete the setup. Once they've successfully added their account, they are given the option to sign in with SAML from the password page.

Sign in with SSO

Pendo users with SAML SSO have multiple options for logging into Pendo. Users can access Pendo from either:

  • Their Identity Provider.
  • The login URL provided when SAML is configured.
  • The Pendo login page (SP-initiated).

The Pendo login page has an SSO button, which appears when a user enters an email address with SSO available and SAML not yet required. The SSO button redirects to the IdP to authenticate if necessary. If SAML isn't required, users can also use their email and password to login.

Troubleshooting

Entity ID is already in use

Entity IDs must be globally unique in an IdP. Occasionally, another vendor has already been set up to use the expected Entity ID. 

Contact Pendo Support to get a different Entity ID.

SSO button on the login page doesn't work.

Until SAML is set as required, users can sign in with the Use Single Sign-On button on the password page. If the SSO button doesn't work, SAML might not be fully configured for your subscription yet. 

If your subscription has already been configured for SAML, confirm that your access hasn't changed with the SAML SSO administrator at your organization.

If your subscription has SAML, your user profile is still active, and the SSO button still doesn't work, contact Pendo Support.

I don't see an SSO button on the password page.

If SAML has been configured, but you've not been invited to Pendo, you won't see the SSO button. SAML must be configured for your subscription and the domain of the email address used in the user ID must be known to Pendo.

If your SAML configuration doesn't require SAML to sign in, you might be able to use your user ID and password instead. 

If SAML is required, you bypass the password page and no longer need to use the SSO button. The SSO button is typically only visible when testing whether SAML is set up correctly.

Contact Pendo Support if you need SAML configured for the domains for the subscription.

I use Google as my SAML provider but the “Sign In with Google” button doesn't work.

The Sign In with Google button is for OAuth access to Pendo using your Google credentials.

OAuth is not the same as SAML and is mutually exclusive. You must sign in using the Google application (IdP-initiated) or enter your email address to be redirected to your Google SAML login page.

If you prefer to use the Sign In with Google button, contact Pendo Support to have your login method changed to require Google OAuth SSO instead of SAML.

"Unauthorized" error page when I use IdP-initiated login

The domain of the email address used in the Visitor ID must be known to Pendo. Pendo confirms that the domain of the Visitor ID is on a list of allowed domains for that subscription, in addition to authenticating the user with the SAML response.

The user must be added to Pendo as well as the IdP. Check that your subscription administrator invited you to the subscription and that you accepted the invitation.

Additionally, the email address used in the assertion for the user name must match what is defined in Pendo. Check that your access hasn't changed and that the name matches what is defined in Pendo with the SAML SSO Administrator at your organization.

Another possibility is that the domain that the user is attempting to sign in to isn't associated with a SAML provider and the subscription requires SAML. Contact Pendo Support to add the domain to the SAML-authorized domains for the subscription.

Frequently Asked Questions

Can I use multiple IdPs for my domain?

No. Pendo currently allows a single IdP to manage a domain. Pendo has a one-to-one association for IdP to domain. If you have multiple domains, each domain can have a different IdP to manage that domain or subdomain. You can also use the same IdP to manage multiple verified domains.

Do you support automatic users provisioning with Just in Time (JIT) or System for Cross-domain Identity Management (SCIM)?

We don't support JIT or SCIM user management. Pendo admins must add the user to their subscriptions manually.

Why am I being asked to add the domain verification record?

You must add a DNS verification record to your domain to validate that you own the domain to be managed by you IdP. This is also sometimes called proof of control. A DNS verification record must be added to each domain and subdomain used in your subscriptions.

An example of the record would be:

example.com TXT "pendo-domain-verification=0d40b867-1518-4660-b155-58158f1c3e4c"

What do I need to share when I am asked for my IdP’s metadata?

IdPs should provide a plain text XML file that can be shared with Pendo. This should be included with your support request to configure SAML.

Some providers, such as Okta and Azure, provide a public URL that points to your metadata. You can share this instead of downloading the file.

Why are my users asked to add a password if I have SAML configured?

If SAML is configured but not yet required, or if it hasn't been set to be required for another reason, new user invitations still require users to add a password.

Users see a “Use Single Sign On” button on the login page after they've completed registering their ID Once the subscription is set up to require SAML, this isn't required.

Does Pendo allow a backdoor email address in case my SAML connection is unavailable?

No. If you have SAML required and your connection fails, contact Pendo Support to either assist in correcting the issue or temporarily disable the SAML requirement to allow email and password login instead. 

Glossary of terms

Term Description
Assertion Consumer Service (ACS) URL or endpoint Sometimes referred to as the Service Provider (SP) login URL, this is the endpoint provided by the SP where SAML responses are posted. The SP must provide this information to the IdPs
Identity Provider (IdP) A service that manages end-user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Examples: Google, Azure, Okta.
IdP-initiated SSO

A login flow in which the user signs in using a button on the Identity Provider (IdP), which initiates SAML authentication. The user is forwarded to the Service Provider (SP) with a SAML message containing an assertion to identify the user.

Security Assertion Markup Language (SAML) An XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and Service Provider (SP). The SAML standard addresses issues that are unique to the SSO solution. See the Wikipedia SAML article for a more detailed explanation.
Security Assertion Markup Language (SAML) admin The contact that manages the provisioning and de-provisioning of end users in the IdP, the assigning of apps, the resetting of passwords, and the overall end-user experience. The SAML admin doesn't have to be the Pendo admin.
Single Sign-On (SSO) A system in which the user signs in to the IdP once, and can then access multiple systems without being prompted to sign in for each one. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. This centralizes access control to the SAML admin.
Service Provider (SP) Generally, a company, such as Pendo, providing organizations with communications, storage, processing, or other services.
SP-initiated SSO

A login flow in which SAML authentication is initiated by the Service Provider (SP), in this case, Pendo. This is triggered when the end user tries to access a resource in the SP or signs in directly to the SP, typically using an SSO button on the login page.

Subject/Name

The identity of the user authenticated by their Identity Provider (IdP). In Pendo, this should be the email address used for the user account registration and login.