Overview
SAML (Security Assertion Markup Language) is a standard for SSO (Single Sign-On). SAML allows your users to sign in to a Service Provider(SP), in this case Pendo, using your enterprise SSO Identity Provider(IdP) instead of their email and password.
Your organization can run its own SAML server to authenticate users. You control password strength, two-factor authentication, and access for all of your SAML-enabled SaaS apps in one place. Users can access Pendo from the Identity Provider (IdP-initiated login) or with the SSO button (SP-initiated login) on the Pendo login page. Either way your IdP provides the authorization for users to access Pendo.
Additional configuration options in Pendo SAML setup give you more control over how user's access your subscriptions or Pendo overall. Pendo supports IdP or SP-initiated login, mandatory SAML use per subscription, and mandatory SAML use for your domain.
Requirements
- SAML SSO Access included in current Pendo Contract
- Third-party SAML Identity Provider (for example Google, Okta, OneLogin, Azure)
- List of all user ID email domains allowed to access the subscription
- SAML Admin able to manage IdP metadata and make access decisions for the subscription
Configure SAML SSO
SAML SSO is an additional paid service that is enabled for a subscription after your technical SME and Pendo Support share metadata and configure access controls. Each Identity Provider has different steps for setting up their platform and extracting and uploading metadata. Refer to your Identity Provider for specific instructions. These instructions focus on the necessary steps to enable SSO in Pendo. The setup process is straightforward and should not take long for a technical SME familiar with your Identity Provider's platform.
1. Confirm that you have SAML SSO Access for your subscription. Contact your Pendo Representative if you need to confirm or add SAML SSO to your contract.
2. Login to your Identity Provider and download your SAML IdP Metadata XML file.
3. Send the Metadata XML file and all user ID email domains that will use SSO for your subscription to Pendo Support.
4. Pendo Support prepares your subscription for SAML and emails you the Pendo SP metadata which includes your ACS, Issuer, and Login URLs.
5. Add the ACS URL and Issuer URL to your Identity Provider
6. Notify Pendo Support when ACS and Issuer URLs are updated. They will finish configuration and activate SSO. Tell Support if you need either of these additional options activated.
- Require SAML for Subscription - Disables Email and Password login for users in the subscription
- Require SAML for Domain - Disables Email and Password login for users with your domain to any subscription
Invite Users to Pendo with SAML SSO
Users must be manually added to the Pendo subscription to authenticate with your Identity Provider. Pendo administrators can add users from the Users page in Settings. The email must match the email used by the Identity Provider exactly. This is case sensitive.
If the subscription requires SAML, the user profile is added to the list of Pendo users when you click Invite User and submit the form. The user is authenticated with the Identity Provider automatically and does not need to accept the invitation email to be granted access.
Login with Single Sign-On
Pendo users with SAML SSO have multiple options for logging into Pendo. They can access Pendo from their Identity Provider or from the login URL provided when SAML is configured. The Pendo login page has a Single Sign-On button which appears when a user enters an email address with Single Sign-On available. The SSO button redirects to the Identity Provider to authenticate if necessary. If SAML isn't required, users can also use their email and password to login.
FAQ
Do you support SAML 2.0?
Yes.
Single Sign On button on the Login page doesn't work.
SP-initiated login may not be configured for your subscription yet. All subscriptions with SSO have IdP-initiated login. Login using your Identity Provider until your subscription is updated for SP-initiated login.
If your subscription has already been configured for IdP and SP-initiated login, check with the SAML SSO Administrator at your organization and confirm that your access has not changed.
If your subscription has IdP and SP-initiated login and your user profile is still active, contact Pendo Support.
Why don't I see a SSO button on the Pendo Login page?
SP-initiated login must be configured for your subscription and the domain of the email address used in the user ID must be known to Pendo. You may still be able to login using your user ID and password if your SAML configuration allows it.
Contact Pendo Support to add the domain to the SAML-authorized domains for the subscription.
Why do I get a see an "unauthorized" error page when I use IdP-initiated login?
The domain of the email address used in the user ID must be known to Pendo. Pendo confirms that the domain of the user ID is on a list of allowed domains for that subscription, in addition to authenticating the user with the SAML response.
Check with the SAML SSO Administrator at your organization and confirm that your access has not changed.
Contact Pendo Support to add the domain to the SAML-authorized domains for the subscription.
Do you support automatic users provisioning with Just in Time (JIT) or System for Cross-domain Identity Management(SCIM)?
We do not support JIT or SCIM user management. Pendo Admins need to add the user to their subscriptions manually.
Glossary
-
ACS URL - Assertion Consumer Service URL or ACS Endpoint, often referred to simply as the SP login URL. This is the endpoint provided by the SP where SAML responses are posted. The SP needs to provide this information to the IdP.
-
SAML Admin - This contact manages the provisioning and deprovisioning of end users in the IdP, the assigning of apps, the resetting of passwords, and the overall end user experience. This does not necessarily have to be the Pendo Admin.
-
IdP - Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Examples: Google, Azure, Okta.
-
IdP-initiated SSO - Identity Provider Initiated Single Sign-On. SAML authentication is initiated by the Identity Provider. In this flow, the Identity Provider initiates a SAML Response which is re-directed to the Service Provider to assert the user’s identity.
-
SAML - Security Assertion Markup Language. SAML is an XML-based standard for exchanging authentication and authorization data between an Identity Provider and a Service Provider. The SAML standard addresses issues unique to the Single Sign-On solution, and defines three roles: the end user, the IdP, and the SP. See the Wikipedia SAML article for a more detailed explanation.
-
SP - Service Provider, in this case Pendo. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services.
-
SP-initiated SSO - Service Provider Initiated Single Sign-On. SAML authentication is initiated by the Service Provider. This is triggered when the end user tries to access a resource in the Service provider or login directly to the Service Provider, typically using a Single Sign-On button on the login page.
-
SSO - Single Sign-On. In a SSO system, a user logs in once to the IdP and can access multiple systems without being prompted to sign in for each one. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. This centralizes access control to the SAML Admin.
-
Subject/Name - The identity of the user authenticated by their IdP. In Pendo, this should be the email used for the user account registration and login.
Pendo SAML Signing Certificate Update
Pendo's previous SAML Signing Certificate expired on Sunday, May 3, 2020.
Pendo proactively updated the certificate on our platform to ensure successful logins for customers and users who utilize SAML/SSO configuration for their Pendo deployment.
You may receive alerts or notifications from your Identity Provider to update the certification manually in your IdP configuration. The public certifications and the Pendo metadata file are located at the bottom of this article.
If you need assistance, please contact Pendo Support and create a ticket with the subject "SAML Cert Update."