Enterprise Single-Sign-On (SSO)
Description
Enterprise SSO makes it possible for users to log in to Piano Analytics via their organization's own ID Platform (IdP). A major benefit of using Enterprise SSO is secure access to the Piano Analytics only for verified users from your IdP platform.
We support the simplified connectors for the following IdPs:
Microsoft Azure AD
Google Workspace
Okta Workforce
We also support the following protocols:
OpenID generic (OIDC) - to be preferred
SAML 2.0
Please reach out to our Piano Account representative for more information about pricing for this solution.
Good to know
SSO will be activated on all the email domain names you'll provide for activation. Any user with an email using these domains will be SSO users de facto.
Below is a list of the information you'll to provide for SSO activation, depending on your IdP. Feel free to contact our support team if you need help.
Microsoft Azure AD configuration
You must first register an application on Azure AD with the following information:
type = Application Web
redirect url = https://auth.piano.io/login/callback
Once done, you will need to provide the following information to our support team:
Azure AD domain name
Azure AD Tenant ID
Application's Client ID
Application's Client secret value
Type of tenant (single, multiple tenants,...)
Optional list of secondary email domains for which SSO will be enabled
You will find more information on how to configure Microsoft Azure AD here.
Google Workspace configuration
You will need create and configure your Google application with the following information
Authorized JavaScript origins: https://auth.piano.io/
Authorized redirect URIs: Login to Piano Analytics
Once done, you will need to provide the following information to our support team:
The application Client ID
The application Client Secret
Google Workspace Domain for which SSO will be enabled
Optional list of secondary email domains for which SSO will be enabled
You will find more information on how to configure Google Workspace here.
OpenID generic (OIDC) configuration
You will need create and configure your application with the following information:
Callback URL: https://auth.piano.io/login/callback
Once done, you will need to provide the following information to our support team:
The application Client ID
The application Client Secret
Well-known URL
List of email domains for which SSO will be enabled
You will find more information on how to configure your OpenID here.
Okta Workforce configuration
You will first need to create an application on your Okta tenant. Your application must be created and configured with the following information:
Callback URL: https://auth.piano.io/login/callback
Once done, you will need to provide the following information to our support team:
Okta Domain (domain-name.okta.com or custom domain)
The application Client ID
The application Client Secret
List of email domains for which SSO will be enabled
You will find more information on how to configure Okta Workforce here.
SAML 2.0 configuration
Please provide the metadata URL of your IDP, including this mandatory information:
SAML login URL use for start the exchange between SP and IDP
X.509 certificate used for sign the exchanges from the IDP
You will also need to provide the list of the domain names you'd like to use with SSO.
About Client Secret
You are responsible for the validity of your Client Secret Key and its renewal in case of expiration.
Please contact us at least one month in advance before expiration, or if you plan to make any changes so we can reflect them on your Piano Analytics configuration.
Login
Clients with Enterprise SSO will use one of the below URLs to log in to the respective Piano Product.
Piano Analytics: https://analytics.piano.io/explorer/#/
VX, Composer, ID:
https://dashboard.piano.io/ (US dashboard)
https://dashboard-eu.piano.io/ (EU dashboard)
https://dashboard-au.piano.io/ (Australia dashboard)
https://dashboard-ap.piano.io/ (Asia-Pacific dashboard)
DMP, Insight, CCE: https://login.cxense.com/
Once the Enterprise SSO is activated, a user that is already logged in to your IdP will be automatically redirected on the appropriate URL (see above).
If a user is not already logged in to your IdP, they will be redirected to the IdP login.
API Keys
Since SSO users do not have a password, they need to rely on API Keys to authenticate to external API calls.
Find out more on API Keys.
Emails
The email sender address for user emails, such as registration and password reset, will be updated based on the IdP provider that has been implemented.