Guides
Sub-processorsAbout PismoContact us

Get started with SSO for Control Center

An optional package allows clients to add Single Sign-On (SSO) authentication to Control Center for a fee. This gives you the ability to have your organization’s users sign in to Pismo Control Center through an Identity Provider (IdP) using a single set of credentials. Pismo supports SSO with the Security Assertion Markup Language (SAML) 2.0 protocol. Any identity provider that supports SAML 2.0 works with Pismo. The advantage of this is that your IdP acts as a trusted service that manages user accounts and their authentication.

📘

Single sign-on (SSO) is only available to customers who have purchased it. Contact your Pismo representative for more information.

How SSO with SAML works with Control Center

This is the basic log in and authentication flow when a user accesses the Pismo Control Center with SAML SSO configured:

  1. User navigates to Control Center to login using SSO.
  2. User enters their email address and Control Center determines if this email domain uses an SSO profile to authenticate. If the email domain has a rule to use SSO, the SAML request for login is sent to the identity provider (IdP).
  3. User logs in to the IdP.
  4. The IdP prepares a SAML response and sends it to the user's browser.
  5. The IdP posts the SAML response to Control Center, and the user is directed to their unique Control Center homepage.

Configure SSO for SAML

🚧

Before you start your configuration, you must ensure your IdP supports SAML 2.0.

If you are unfamiliar with SSO or SAML, refer to the Terms to know section before proceeding with the configuration steps.

Step 1: Set up your identity provider (IdP)

  1. Log in to your IdP admin console—access your IdP (e.g., Okta, OneLogin, Entra ID, Google Workspace, etc.).

  2. Create a new SAML application—create an application in your IdP that represents the relationship between Control Center and your IdP.

    1. Navigate to the console section where you can add a new application.
    2. Select SAML-based authentication.

  3. Configure basic application settings.

    1. Provide a name and description for the SAML application.

    2. Optionally, upload a logo for easier identification.

    3. Configure SAML Settings—you will see a screen like this (actual layout is dependent on your chosen IdP):

      Configure SAML Settings screen

    4. Enter the URL provided by Pismo where Control Center will receive SAML assertions from the IdP into the Single Sign-On URL (Assertion Consumer Service URL) field.
      Note: this URL is unique to each environment (one for production, one for test, and so on).

    5. Enter the Audience URI (SP Entity ID) provided by Pismo. This is a unique identifier for the service provider (the application a user wants to access—in this case, Pismo Control Center), often a URL or a URN.
      Note: this URL or URN is unique to each environment (one for production, one for test, and so on).

    6. Define the Name ID Format (for example, email address).

  4. Map Attributes—(e.g., email, first name, last name) from the IdP to the SP. The following attributes are required:

    • Username—email address (string)
    • Given name—full name, first name, or nick name of user (string)
    • Email address—user email address (string)

  5. Download IdP metadata SAML certificate—Download then save the IdP metadata XML file. This is required for Control Center configuration.

Step 2: Send IdP configuration information to Pismo

You must send the IdP metadata XML file you downloaded in the previous step to Pismo. Do this through a secure Enhanced File Transfer (EFT).

  1. Pismo will send you an email invite to register to the EFT. Note: If you are already registered, connect to the online EFT Portal.
  2. Log in to your account using the email account and password you created when you registered to the EFT.
  3. Select the Shared with Me folder and then select the folder that was shared with you by Pismo.
  4. Upload the metadata XML file.

Step 3: Finalize the configuration in the IdP

Once Pismo receives the metadata file, we will complete your configuration and notify you when the system is ready to test. Once you are notified that configuration is complete, do the following:

  1. Test the configuration.
    1. Ensure that user attributes are correctly mapped.
    2. Perform a test login to verify that SSO is working as expected.
  2. Enable SSO for users.
    1. Once testing is successful, notify Pismo and we will enable SSO for your users in your email domain.
    2. Add users into your IdP (refer to the next section for special considerations when creating users with SSO).
    3. Provide necessary documentation or training to your end-users on how to use SSO.

Considerations for creating users with SSO integration

There are some specific considerations for Control Center administrators when creating users with SSO integration. The main thing to keep in mind is that while you must initially create all your users in your IdP, you must manage Control Center users and user roles from the Control Center.

If you have a user in your IdP but you haven’t created a user for that person in the Control Center, this is what happens when they log into the Control Center for the first time using SSO:

  1. When a person without a defined user account in Control Center logs into Control Center for the first time, a user account is automatically created using Just-in-Time (JIT) provisioning from SAML.
  2. Since the newly assigned user does not yet have a role assigned, they will not have permissions to see anything in Control Center upon initial log in. They will be directed to a page telling them to reach out to their company Control Center admin to have roles assigned.
  3. As the company Control Center admin, you must log in to Control Center to assign the appropriate roles to the user.
  4. The next time the user logs into Control Center, they will have the correct access.

User deletion and revoking access to Control Center

Control Center users are not synced with users in your IdP. Therefore, Pismo does not get notified if user access is revoked in IdP. So, user deletion for Control Center is a two-step process.

First, you must revoke user access in your IdP. If users try to log in to Control Center again through SSO after their current session expires, Pismo revokes their access but does not delete the user.

Next, you need to delete the user in Control Center to remove the user, so that user does not count towards your user account limit. Note that users that were created in Control Center before the integration was turned on will still be shown as users in Control Center even If you never granted them access in your IdP.

Terms to know

TermMeaning
Identity Provider (IdP)An Identity Provider is a trusted service that stores and authenticates a user’s identity.
Service ProviderThe application a user wants to access, such as Pismo Control Center.
Security Assertion Markup Language (SAML)SAML is an open standard authentication protocol that you can use to implement SSO in your Control Center org. SAML allows identity providers and service providers to securely exchange user information, enabling user authentication between services.
SAML AssertionA SAML assertion, which is part of a SAML response, describes a user by asserting facts, like username or email address. During authentication, the identity provider signs the SAML assertion, and the service provider validates the signature.
SAML RequestWhen a user attempts to access the service provider, the service provider sends a SAML request asking the identity provider to authenticate the user.
SAML ResponseTo authenticate the user, the identity provider sends a SAML response to the service provider. The response contains a signed SAML assertion with facts about the user.

Updated 3 days ago