Pigment supports SAML 2.0 Single Sign-On as an alternative login method to a Pigment username and password. This document outlines the options available, setup steps, what to expect and covers frequently asked questions surrounding the SSO topic.
What sign-on methods does Pigment support?
Pigment supports the following:
- A Pigment configured username and password.
- Single Sign-On using SAML 2.0 protocol
- OpenID Connect (OIDC) using Google
What is Single Sign-On (SSO)?
Single Sign-On (SSO) is an authentication method that allows users to access multiple applications and services using a single set of login credentials, eliminating the need to enter separate usernames and passwords for each system. It streamlines the login process and simplifies identity management.
Who Is Eligible For SSO?
SSO is available on all Pigment tiers. All you need is a SAML 2.0 compatible identity provider.
Enabling SSO for your Workspace
To enable SSO for your Workspace, contact the Pigment Support Team. See our guide here, if you’re unsure how to log a ticket.
How to prepare
When you have logged a ticket, Pigment Support will organize a call with you. To ensure a successful setup, please follow these steps:
-
Invite your SSO or identity provider admin: Please have someone from your IT team, usually an identity provider admin, join the call.
-
Ensure a Pigment account holder is present: Make sure you have a Pigment account (usually yourself) available during the call to test with.
-
Provide a list of email domains: Prepare a list of email domains used within your company that may apply to Pigment users.
-
SSO configuration preference: Decide whether you want SSO to be enabled for all users immediately or later on.
What to expect
The setup process is simple and consists of three steps, usually taking up to 30 minutes.
-
On the call: During the call, Pigment will guide your IT team through the setup to ensure everything functions as intended. This involves an exchange of URL, certificate and attribute information required for SAML SSO configuration.
-
Testing your Pigment account: Once the setup is complete, we will ask you to test SSO using any active Pigment account type. It is crucial to confirm that the SSO setup works correctly to prevent any risk of locking your team out of the Workspace.
-
Enabling SSO for the entire Workspace: After successful testing, we'll review your email domains and, with your approval, enable SSO for your entire Workspace. From that point onward, all new and existing users will no longer use their Pigment passwords, but instead, they will access Pigment through SSO.
Good to know
When you enable Single Sign-On (SSO) for your Pigment Workspace, SSO will be enforced for all users under the specified domains in your Workspace settings. Users with matching domains will be required to use SSO for authentication, while those without matching domains can still use password authentication. However, to maintain security and streamline the user experience, we strongly recommend that all users in your Workspace utilize SSO and avoid password logins simultaneously.
We'll ask you on the call if you want to enforce SSO immediately or at a set date/time, if you feel you need more time, let us know and we can enable later upon your request.
FAQs
What identity providers do you support?
All services which offer SAML 2.0. A few examples include: Okta, Microsoft Entra ID (formerly Azure Active Directory), Google Workspace and OneLogin. We support both cloud and on-premise providers. If you require a specific SAML SSO configuration, contact Pigment Support.
Can I use my existing Pigment login credentials with SSO?
When SSO is enabled your old Pigment password will no longer be in use. You’ll instead need to use the password associated with your identity provider’s login.
Is SSO the same as “Sign in with Google” on the Pigment login page?
The “Sign in with Google” feature is a different login method to that covered in this guide. It does not use SAML-based SSO.
Can you support multiple identity providers?
Yes, please make the Pigment Support team aware of this in your support ticket. We can set up multiple identity providers where each provider is responsible for authenticating users within a specific email domain. Domains cannot be shared between multiple identity providers.
Is SSO mandatory, or can users still log in using traditional methods?
SSO is mandatory for all users who use the email domains configured under the SSO configuration in your Workspace settings. It is not recommended to have a hybrid login approach to login on your Workspace, we recommend making SSO mandatory for all users.
What data is exchanged between Pigment and the Identity Provider during SSO?
In addition to the URLs and certificates, Pigment only requires a person’s email address.
Can I use SSO for single sign-out (SSO session termination)?
Single sign-out is not supported at this time.
How can I disable SSO?
Contact Pigment support, they can run you through the process.
Can I use SSO and SCIM provisioning together?
Yes! You will need the correct Pigment tier for SCIM and the setup is self-serve. For more information, see Understanding Pigment's Identity & Provisioning Settings of SCIM and Email Domain Restriction.
Do you support multi-factor authentication (2FA/MFA)?
Pigment does not provide its own MFA service, but does support any built into your identity service for SSO. We recommend centralizing your MFA at the identity provider layer. For more information, see Configure Multi-Factor Authentication (MFA/2FA).
I’m having problems with logging in, what should I do?
Contact Pigment Support, providing as much detail as you can about the number of affected users, their email addresses, and screenshots of any errors.