SAML Single Sign-On (SSO) overview (beta)

Last updated:

Note: This offering is currently in closed beta, available to select Pendo customers for testing. The information that follows isn't a commitment, promise, or legal obligation. The development, release, and timing of any features or functionality described here are subject to change at the discretion of Pendo, which can occur without notice. If you're interested in getting early access and providing feedback, contact your Pendo account representative.

This article provides an overview of SAML SSO, which is an additional paid service that must be enabled for a subscription. For instructions on setting up SAML SSO and how to use it, see Set up SAML Single Sign-On (SSO).

SAML SSO for Pendo

SAML stands for Security Assertion Markup Language, which is a standard for Single Sign-On (SSO). SAML allows your users to sign in to a service provider (SP), such as Pendo, using your enterprise SSO identity provider (IdP) instead of their email and password.

Pendo supports SAML 2.0 for both IdP-initiated and SP-initiated sign-in flows. With an IdP-initiated sign-on, users access Pendo from the IdP. With SP-initiated sign-on, Pendo users sign in through the Pendo login page using the SSO button, and Pendo redirects them to your IdP for authentication. In either case, your IdP is responsible for authorizing users to access Pendo. 

Each IdP has different steps for setting up their platform, and for extracting and uploading metadata. Refer to your IdP for specific instructions. 

Pendo user SSO experience

Pendo users with SAML SSO have multiple options for signing in to Pendo. Users can access Pendo from either:

  • The login URL provided when SAML is configured.
  • Their IdP (IdP-initiated).
  • The Pendo login page (SP-initiated).

The Pendo password page has a Use SSO button, which appears when a user enters an email address with SAML available and not yet required. The SSO button redirects to the IdP to authenticate if necessary. If you don't enforce SAML, users can also use their email and password to sign in.

If you have any issues signing in, see Troubleshoot sign-in issues.

Domain and IdP management

Pendo enforces a one-to-one relationship between a domain and an IdP. You can't use multiple active IdPs for a single domain.

If you have multiple domains, each domain can be managed by a different IdP. You can also use the same IdP to manage multiple verified domains.

Additional configuration options

Pendo can provide additional configuration options in the SAML setup to give you more control over how users access your subscriptions or Pendo overall.

  • IdP-initiated or SP-initiated sign-on. Both options are supported, and you can enforce either as needed.
  • Mandatory SAML use for your subscription or your domain (globally). We can enforce SAML for your domain or for your subscription. Making SSO required on the domain forces users to sign in with SAML regardless of the subscription they belong to. All email domains in the subscription must also have SAML configured.

User provisioning

We don't support automatic user provisioning with Just in Time (JIT) but we do support SCIM user management for certain IdPs, such as Okta. Outside of these IdPs, Pendo admins must add the user to their subscriptions manually. For more information, see Set up SCIM in Pendo.

Glossary of terms

Term Description
Assertion Consumer Service (ACS) URL or endpoint Sometimes referred to as the service provider (SP) login URL, this is the endpoint provided by the SP where SAML responses are posted. The IdP redirects the authenticated user to this location after sign-in. The SP must provide this information to the IdPs
Entity ID The unique identifier of the service provider (SP).
Identity Provider (IdP) A service that manages end-user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to service providers (SPs) to authenticate end users. Examples: Google, Azure, Okta.
IdP-initiated SSO

A sign-in flow in which the user signs in using a button on the identity provider (IdP), which initiates SAML authentication. The user is forwarded to the Service Provider (SP) with a SAML message containing an assertion to identify the user.

Security Assertion Markup Language (SAML) An XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and service provider (SP). The SAML standard addresses issues that are unique to the SSO solution. See the Wikipedia SAML article for a more detailed explanation.
SAML admin The contact that manages the provisioning and de-provisioning of end users in the IdP, the assigning of apps, the resetting of passwords, and the overall end-user experience. The SAML admin doesn't have to be the Pendo admin.
Single Sign-On (SSO) A system in which the user signs in to the IdP once, and can then access multiple systems without being prompted to sign in for each one. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. This centralizes access control to the SAML admin.
Service Provider (SP) Generally, a company, such as Pendo, providing organizations with communications, storage, processing, or other services.
SP-initiated SSO

A sign-in flow in which SAML authentication is initiated by the service provider (SP), in this case, Pendo. This is triggered when the end user tries to access a resource in the SP or signs in directly to the SP, typically using an SSO button on the login page.

Subject/Name

The identity of the user authenticated by their identity provider (IdP). In Pendo, this should be the email address used for the user account registration and login.

 

 

Was this article helpful?
3 out of 5 found this helpful