|
| 1 | +--- |
| 2 | +title: Single Sign-On (SSO) |
| 3 | +--- |
| 4 | + |
| 5 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 6 | + |
| 7 | +Enterprise subscribers have an option to configure Single Sign-On (SSO) integration for their team. |
| 8 | + |
| 9 | +SSO gives a way to access Plausible without having to create a separate account and keep track of another set of credentials. This is possible by first logging in to identity provider (IdP) - be it Google, Okta, Microsoft (Entra) or other - and accessing Plausible and other services supporting SSO through it. As long as login at identity provider is valid, it's possible to access Plausible using e-mail matching the identity from the provider. |
| 10 | + |
| 11 | +Our SSO implementation is SAML 2.0 compliant and user accounts are provisioned just in time. It should be compatible with almost every identity provider as SAML 2.0 protocol is widely supported. |
| 12 | + |
| 13 | +:::tip What is SAML? |
| 14 | +**Security Assertion Markup Language (SAML)** is an XML-based protocol for secure exchange of information between an authority (Identity Provider or IdP) and a consumer (Service Provider or SP - in this case, us). |
| 15 | +::: |
| 16 | + |
| 17 | +## How it Works |
| 18 | + |
| 19 | +Once SSO is configured and prospective user has a valid identity created at identity provider of team's choice, they can log in using a dedicated login form. |
| 20 | + |
| 21 | +<img alt="SSO Login Form" src={useBaseUrl('img/sso-login-form.png')} /> |
| 22 | + |
| 23 | +After inputting the e-mail, they are redirected to identity provider's portal. The provider validates their identity if they haven't authenticated there yet or uses the already validated identity from logged in session. The identity information (e-mail, name) is then securely sent back to Plausible. That's when the user is provisioned in Plausible. |
| 24 | + |
| 25 | +### Provisioning |
| 26 | + |
| 27 | +When somebody logs in, we first look for an existing member of a team with matching e-mail and configured SSO integration. If a match is found, we log them in as that user. If not, we create a new user on the fly and add them as a member in a team with a configured SSO domain matching email's domain. The member's role will have a default team role assigned. The default role is Viewer, but can be changed. |
| 28 | + |
| 29 | +User logging in through identity provider can only belong to a single team. Matching team with identity is done by looking up identity's email domain among configured SSO domains. Every SSO domain must be unique - the same domain cannot be associated with more than one team at once. |
| 30 | + |
| 31 | +### Security |
| 32 | + |
| 33 | +When SSO is configured for the team for the first time, existing team members can still access it using e-mail and password. However, once they log in using identity provider, their account becomes SSO-only and from that point on they can no longer access Plausible using standard credentials. Standard and SSO users can co-exist on the same team as long as "Force SSO" configuration option is disabled. |
| 34 | + |
| 35 | +Once "Force SSO" is enabled, only SSO users are allowed to access the team. If there are still standard users among members, they are locked out of the team until they provision their account through identity provider. |
| 36 | + |
| 37 | +There's an exception made for Owners who keep the ability to log in using e-mail and password even after logging in through identity provider for troubleshooting configuration or malfunctioning identity provider. They, however, are forced to enable 2FA even before "Force SSO" can be enabled for improved security. |
| 38 | + |
| 39 | +With SSO not being enforced right away it's possible to configure and transition existing team to SSO without risking major disruptions. |
| 40 | + |
| 41 | +### Other |
| 42 | + |
| 43 | +- **Changing name and e-mail of your SSO account**: The name and e-mail address can only be updated via identity provider. |
| 44 | +- **SSO initiated from IdP**: Identity providers often support starting login directly from their portal. While this is sometimes convenient, we explicitly do not support it for security reasons. Users must always start signing in from Plausible's login form. |
| 45 | + |
| 46 | +## Configuring SSO |
| 47 | + |
| 48 | +Before starting configuration, make sure you have created a team and subscribed it to a plan enabling SSO. |
| 49 | + |
| 50 | +The configuration process consists of four major stages: |
| 51 | + |
| 52 | +1. [Initiating SSO Setup in Plausible](#initiating-sso-setup-in-plausible) |
| 53 | +2. [Configuring SAML SSO in Identity Provider](#configuring-saml-sso-in-identity-provider) |
| 54 | +3. [Finishing SAML SSO Setup in Plausible](#finishing-saml-sso-setup-in-plausible) |
| 55 | +4. [Enabling SSO Enforcement](#enabling-sso-enforcement) |
| 56 | + |
| 57 | +### Initiating SSO Setup in Plausible |
| 58 | + |
| 59 | +- Go to the "**Configuration**" section of "**Single Sign-On**" under "**Team Settings**" |
| 60 | + |
| 61 | + <img alt="Starting SSO configration" src={useBaseUrl('img/sso-start-config.png')} /> |
| 62 | + |
| 63 | +- Click "**Start Configuring SSO**" button |
| 64 | + |
| 65 | + <img alt="SSO configration parameters for IdP" src={useBaseUrl('img/sso-sp-config-params.png')} /> |
| 66 | + |
| 67 | +- Open identity provider's dashboard and follow further instructions |
| 68 | + |
| 69 | +### Configuring SAML SSO in Identity Provider |
| 70 | + |
| 71 | +The configuration procedure varies significantly from provider to provider. We provider instructions for the most common ones below. |
| 72 | + |
| 73 | +- [Google Workspaces](#configuring-google-workspaces) |
| 74 | +- Okta |
| 75 | +- Microsoft Entra (Azure) |
| 76 | + |
| 77 | +#### Configuring Google Workspaces |
| 78 | + |
| 79 | +TBD |
| 80 | + |
| 81 | +### Finishing SAML SSO Setup in Plausible |
| 82 | + |
| 83 | +- Go back to "**Configuration**" section of "**Single Sign-On**" under "**Team Settings**" and click "**Start Configuring**" |
| 84 | + |
| 85 | + <img alt="SSO configration parameters for IdP" src={useBaseUrl('img/sso-sp-config-params.png')} /> |
| 86 | + |
| 87 | +- Fill the form with parameters obtained after configuring identity provider and click "**Save**" |
| 88 | + |
| 89 | + <img alt="SSO configration parameters for SP" src={useBaseUrl('img/sso-idp-config-params.png')} /> |
| 90 | + |
| 91 | +- Enter domain name used in e-mail addresses of identities that should be allowed to log in to this team through SSO and click "**Add Domain**" |
| 92 | + |
| 93 | + <img alt="Adding SSO domain" src={useBaseUrl('img/sso-add-domain.png')} /> |
| 94 | + |
| 95 | +- Verify ownership of the domain using one of three methods. After publishing updated page or DNS record, click **Continue** |
| 96 | + |
| 97 | + <img alt="Verifying SSO domain" src={useBaseUrl('img/sso-verify-domain.png')} /> |
| 98 | + |
| 99 | +- Scroll to "**SSO Domains**" and wait until "**Status**" changes to "validated". |
| 100 | + |
| 101 | + <img alt="Pending SSO domain" src={useBaseUrl('img/sso-domains-table-pending.png')} /> |
| 102 | + |
| 103 | + :::tip Validation taking too long? |
| 104 | + You can click "**Cancel**" at any time and then click "**Verify**", optionally review verification instructions and then kick off verification again by clicking "**Run Verification Now**" |
| 105 | + ::: |
| 106 | + |
| 107 | +- Once the verification succeeds, the domain is marked as verified |
| 108 | + |
| 109 | + <img alt="Verified SSO domain" src={useBaseUrl('img/sso-domains-table-verified.png')} /> |
| 110 | + |
| 111 | +From that point on, SSO should be fully functional and it should be possible to log in using an identity email configured at identity provider. |
| 112 | + |
| 113 | +### Enabling SSO Enforcement |
| 114 | + |
| 115 | +While this step is not strictly necessary to use SSO, it's pretty crucial in ensuring only members provisioned through identity provider have access to the team. |
| 116 | + |
| 117 | +SSO enforcement can be enabled from "**SSO Policy**" section of SSO configuration. |
| 118 | + |
| 119 | + <img alt="SSO policy with force SSO disabled" src={useBaseUrl('img/sso-policy-disabled.png')} /> |
| 120 | + |
| 121 | +There are conditions that have to be met before "Force Single Sing-On" can be enabled though. |
| 122 | + |
| 123 | +- At least one SSO domain must be verified |
| 124 | +- At least one user must have successfully logged in through identity provider |
| 125 | +- All Owners must have 2FA enabled |
| 126 | + |
| 127 | +:::tip What if not all Owners can enable 2FA at the time of setup? |
| 128 | +It might happen in a team with multiple Owners that some might be away and not able to enable 2FA right away. One way to resolve this is temporarily changing their role to "**Admin**". Once they are back, they can log in through identity provider, enable 2FA and ask to have their role changed back to "**Owner**". |
| 129 | +::: |
| 130 | + |
| 131 | +If any of those conditions are not met, the switch is disabled and the reason is outlined once you hover over it. |
| 132 | + |
| 133 | + <img alt="SSO policy with force SSO disabled and a tooltip" src={useBaseUrl('img/sso-policy-disabled-tooltip.png')} /> |
| 134 | + |
| 135 | +Once all conditions are met and you enable enforcement, logging in through identity provider will be the only way to access the team. |
| 136 | + |
| 137 | +:::tip Owners can still use standard login in case of emergency |
| 138 | +Providing this fallback is important to provide a way to resolve issues with misconfigured or malfunctioning identity provider. Please note, however, that Owners must still log in at least once through identity provider in order to access the team with "**Force Single Sign-On**" enabled. |
| 139 | +::: |
0 commit comments