English (US) Français 日本語
Contact support Sign in
English (US) Français 日本語
  1. Piano Support
  2. Products
  3. Piano Analytics user interface
  4. Access & security management
See all articles

Enterprise Single-Sign-On (SSO)

Ariane Hervier
  • Updated

Description

Enterprise SSO makes it possible for users to log in to Piano Analytics via their organization's own ID Platform (IdP). A major benefit of using Enterprise SSO is secure access to the Piano Analytics only for verified users from your IdP platform.


Please reach out to our Piano Account representative for more information about pricing for this solution.

 

SSO Activation

To activate the SSO feature, please reach out to support teams with this information:

  • One or a list of domains that will use SSO
  • The type of SSO connection:
    • SAML 2.0 generic connector
    • OpenID generic connector
    • Microsoft Azure AD
    • Google Workspace
    • Okta Workforce

SAML 2.0

If SSO connection type is SAML 2.0, please provide:

  • Your metadata (IDP)

We will then provide an XML metadata file to add to your Identity Provider (and additional information if needed)

Open ID

If SSO connection type is Open ID, please provide:

  • Your client client_id (identifier dedicated to the app and used by Piano Analytics to login)
  • Your secret_client (secret provided by their Identity Provider and used by Piano Analytics to login)
  • Your OpenId Connect configuration URL given by your provider under this format: https://{oauth-provider-hostname}/.well-known/openid-configuration

Microsoft Azure AD

If SSO connection type is Microsoft Azure AD, please provide:

  • Your Azure AD domain name
  • The application Client ID
  • Your Azure AD Tenant ID
  • The application Client Secret value (this information is sensitive, and should only be shared via a secure channel)
  • The type of tenant (single/multiple tenants…)

Google Workspace

If SSO connection type is Google Workspace, please provide:

  • Your Google workspace domain
  • The application Client ID
  • The application Client Secret value (this information is sensitive, and should only be shared via a secure channel)

Okta Workforce

Start by creating an application on your Okta tenant which will use this this callback URL: https://auth.piano.io/login/callback

  • After the creation of the application on your Okta tenant, please provide :
  • Okta Domain (e.g. domain-name.okta.com)
  • The application Client ID
  • The application Client Secret
  • List of email domains for which SSO needs to be enabled
Good to know
SSO will be activated on all the email domain names you'll provide for activation. Any user with an email using these domains will be SSO users de facto.

Login

Clients with Enterprise SSO will use one of the below URLs to log in to the respective Piano Product.

Once the Enterprise SSO is activated, a user that is already logged in to your IdP will be automatically redirected on the appropriate URL (see above).

If a user is not already logged in to your IdP, they will be redirected to the IdP login.

API Keys

Since SSO users do not have a password, they need to rely on API Keys to authenticate to external API calls.
Find out more on API Keys.

 

Emails

The email sender address for user emails, such as registration and password reset, will be updated based on the IdP provider that has been implemented.

Articles in this section