Single Sign-on (SSO)

Updated

Organizations that need enhanced security requirements can configure their Customer.io account to use Single Sign-on (SSO).

 To enable/disable SSO for your account, you must be an Account Admin.

How to set up SSO

The process for configuring SSO will depend on your specific identity provider (IdP). Customer.io has dedicated integrations with the following providers and protocols:

Frequently Asked Questions

What is OpenID Connect and how does it differ from SAML?

OpenID Connect is a security standard for logging into applications, built on the OAuth 2.0 protocol. It uses an additional JSON Web Token (JWT), called an ID token, to standardize areas that OAuth 2.0 leaves up to choice, such as scopes and endpoint discovery. It is specifically focused on user authentication and is widely used to enable user logins on consumer websites and mobile apps. Learn more about OpenID Connect.

Security Assertion Markup Language - SAML - is also a widely used authentication protocol for logging into apps but built on the SAML 2.0 specification.

Unlike OpenID Connect, SAML allows you to include various attributes in the SAML statement sent to the SaaS application based on the mapping of attributes in your Identity Provider (IdP).

How do I require 2FA with SSO?

When you use SSO with Customer.io, you must enable 2FA within your identity provider. (Before you can enable SSO in Customer.io, you must disable Customer.io’s 2FA feature.)

I’m able to log in with Google. Is that the same as Google SSO?

No, it is not. “Log in with Google” is an option on the Customer.io sign-in page to quickly and securely log in, but team members can still use their email and password during sign-in. To block team members from signing in with an email/password, you must enable Google SSO on the Account Security page.

Manage team members

How do I add a new team member to my account after enabling SSO?

For most integrations, you’ll need to add/remove team members from your IdP and add/remove them from Customer.io. Your team members must have matching email addresses across Customer.io and your IdP.

However, when you set up a SAML integration and enable SCIM, team members you add or remove from your IdP will automatically be added or removed from Customer.io. You can only manage roles and permissions within Customer.io.

In either case, a new team member will receive an email prompting them to log in. They won’t need to set a password, just enter their email into the Customer.io login page.

Is there any sync between my Identity Provider (IdP) and the team member list in Customer.io?

By default, no. You have to maintain access in both your IdP and Customer.io. However, if you enabled SCIM 2.0 on a SAML integration, your team member list will update based on those added and removed from your IdP automatically.

Keep in mind, you can only manage roles and permissions within Customer.io. Make sure your team members have the right access.

Can I manage team member roles through my Identify Provider (IdP)?

It’s not possible to define a user’s permissions via your IdP. You can only manage a user’s permissions in Customer.io. Manage team permissions

Reach out to support at win@customer.io if you’re still experiencing issues with enabling SSO.

I have two (or more) Customer.io accounts. Can I link both to my Identity Provider (IdP) account?

Yes, you can, by adding two Customer.io applications within your IdP account. Repeat the steps that apply to your provider for each Customer.io account. Make sure the usernames in each app in your IdP match the corresponding usernames in Customer.io: Account Settings > Team Members.

How do I force an account to log out?

To invalidate someone’s active sessions in your Customer.io account, delete the team member from Account settings > Team Members.

Do you support SLO?

We do not support Single Logout (SLO) - the ability for someone to log out of one application which triggers a log out from all applications using the same credentials. For instance, your team member can’t log out of Customer.io and then trigger a log out of Salesforce.

SSO with Google

If you are using G Suite to manage your company email, then you can enable Google SSO in your Customer.io account. You must:

  • Have a G Suite account (public @gmail.com email accounts cannot set up SSO),
  • Have an Account Admin role in Customer.io, and
  • Disable “Require 2FA” for your Customer.io account.

 Sign in with Google

We support SSO for people with gmail.com addresses or custom domains for organizations with Google Workspace accounts (formerly G Suite). You must follow these steps to set up organizational SSO with Google Workspace. In either case, once you connect your Google account, you must sign in with Google.

After setup is complete, members of your account will immediately be logged out and will need to log in again using their Google-managed email address.

To enable SSO with Google:

  1. Log in to your Customer.io account and navigate to Account Settings > Security > Enable Single Sign-On.
  2. Choose Google SSO.
  3. At the bottom of the page, click Sign in with your Google account. This will open a Google authorization window asking you to choose the account you’d like to use with Customer.io. Make sure to choose the email account used by you and your team to log in — anyone with a different Google email domain will not be able to log in.

 Check your team email addresses!

After Google SSO is enabled, only team members in your company G Suite account will be able to log in. Any team members with an external email address will not be able to log in until their emails are updated in Customer.io.

SSO with Okta

Requirements

To configure SSO with Okta, you must have:

  • an existing Okta account,
  • an Account Admin role in Customer.io, and
  • Disable “Require 2FA” for your Customer.io account.

Supported Features

This implementation supports User Authentication. After a team member is added to your Customer.io account, they’ll be asked to authenticate with Okta in order to log in.

No other features (i.e. profile sync, provisioning, etc.) are supported at this time.

Okta SSO Configuration Steps

Setting up Okta SSO with Customer.io is a two-step process. You’ll first add the Customer.io Application to your Okta account. Then, you’ll configure your Customer.io security settings to connect to Okta.

 After setup is complete, team members will be immediately required to re-login to Customer.io using their Okta credentials. Their current work may be interrupted.

Part 1: Add Customer.io Application to Okta

  1. Add Customer.io to your Okta account by going to your Applications page, clicking Browse App Catalog and searching for Customer.io.
    okta-sso-add.png
    okta-sso-add.png
  2. On the opened page, click Add to install the Customer.io integration.
    okta-sso-add.png
    okta-sso-add.png
  3. You’ll be asked to provide an Application label (Customer.io) and configure whether the application should display to users or auto-submit with the browser plugin. Select your preference and click Next (these can be changed later).
    okta-sso-add-application-step-1.png
    okta-sso-add-application-step-1.png
  4. Next, you’ll see Step 2: Sign-On Options. Select OpenID Connect and click Done.
    okta-sso-add-application-step-2.png
    okta-sso-add-application-step-2.png
  5. After you click Done, the application will be added to your Okta org and is ready to be assigned to your team members. Click Assign to add the team members or groups who will be accessing Customer.io, including yourself!
    okta-sso-add-people.png
    okta-sso-add-people.png
  6. Once you’ve added People, keep the Okta window open and move to Step 2 below.

Part 2: Configure Okta SSO in Customer.io

  1. Open a new window and get ready to set up SSO in your Customer.io account. Log in to Customer.io and navigate to the Security page of Account Settings.
  2. On the Security page, select Configure SSO.
  3. Select Okta SSO with OpenID Connect to show the configuration settings.
  4. In the Configuration form, enter the following information:
    1. Okta Organization URL: This can be found in your Okta dashboard header and typically follows the format of https://[companyname].okta.com. Learn more about Okta Org URLs.
      okta-organization-url.png
      okta-organization-url.png
    2. Okta Application Client ID and Client Secret: Go back to your Okta window and look for the Client ID and Client Secret on the Sign On tab of the Customer.io Application.
      okta-client-keys.png
      okta-client-keys.png
  5. Click Authenticate your Okta account to confirm the connection and enable SSO.
  6. Once the connection is authenticated, you’ve successfully enabled SSO for you and your team members.

SSO with Microsoft Azure

Requirements

To configure SSO with Azure, you must:

  • Have an existing Azure account
  • Have an Account Admin role in Customer.io, and
  • Disable “Require 2FA” for your Customer.io account

Register a new app

You can find more info on setup in Microsoft Azure’s Quick Start Guide.

  1. Log into your Microsoft Azure account and go to Microsoft Entra ID.
    On the Azure landing page, there are three horizontal sections. The top section is titled Welcome to Azure! Below that is Azure services. And below that is Resources. Under Welcome to Azure, the second item from the left reads Manage Microsoft Entra ID with a button labeled View. Under Azure services, the second item from the left is Microsoft Entra ID, which you can also click to start setting up Azure SSO.
    On the Azure landing page, there are three horizontal sections. The top section is titled Welcome to Azure! Below that is Azure services. And below that is Resources. Under Welcome to Azure, the second item from the left reads Manage Microsoft Entra ID with a button labeled View. Under Azure services, the second item from the left is Microsoft Entra ID, which you can also click to start setting up Azure SSO.
  2. On the Overview page, click Add at the top and select App registration.
    On the left hand navigation, Overview is selected at the top. The first button on the top menu of the Overview page reads Add. This is selected and shows a dropdown. The last item of the dropdown is App registration.
    On the left hand navigation, Overview is selected at the top. The first button on the top menu of the Overview page reads Add. This is selected and shows a dropdown. The last item of the dropdown is App registration.
  3. Enter a display Name for your application. This helps you distinguish between your registered apps in Azure. This will not appear in Customer.io.
    The name is OpenID for customer.io. The selected account type is accounts in this organization directory only. No redirect URI is provided at the bottom of the form.
    The name is OpenID for customer.io. The selected account type is accounts in this organization directory only. No redirect URI is provided at the bottom of the form.
  4. Click Register to complete initial setup.

Configure your app

  1. To finish configuring your registered app, go to Authentication > Add a platform.
    Authentication is selected on the left hand menu. The button Add a platform is the first button on the page.
    Authentication is selected on the left hand menu. The button Add a platform is the first button on the page.
  2. Select Web.
  3. Add this redirect URI: https://fly.customer.io/oauth2/redirect.
  4. Select Configure.

Add credentials

  1. Select Certificates & secrets > Client secrets > New client secret.

    Certificates and secrets is selected in the left hand menu. The button New client secret is located under the tab Client secrets.
    Certificates and secrets is selected in the left hand menu. The button New client secret is located under the tab Client secrets.

  2. Enter a Description for your secret. Change the Expiration time period if you need.

     Keep track of your expiration timeline

    Customer.io doesn’t know when your client secret will expire. You’ll need to track your client secret’s expiration date outside Customer.io to maintain a smooth sign-in process

  3. Select Add.

    1. Your client secret is under Value.

  4. Keep your Microsoft Azure account open to finish integrating with Customer.io.

Finish setup in Customer.io

  1. Go to Account Settings > Security > Enable Single Sign-On (SSO).
  2. Select Azure SSO with OpenID Connect.
    Below the selection of Azure SSO are three fields to fill in before you can authenticate your configuration.
    Below the selection of Azure SSO are three fields to fill in before you can authenticate your configuration.
  3. Back in Microsoft Azure AD, select Overview from the left hand menu.
    1. Then click Endpoints from the top menu. Copy the OpenID Connect metadata document and paste into Azure Issuer URL in Customer.io. The URL should follow this pattern: https://login.microsoftonline.com/{tenant_id}/v2.0/well-known/openid-configuration.
    2. Copy the Application/Client ID and paste into Azure Application Client ID in Customer.io.
  4. In Microsoft Azure AD, select Certificates & Secrets.
    1. Copy the Value of your client secret and paste into Azure Application Client Secret in Customer.io. Your configuration will not authenticate if you use the Secret ID; make sure you use the Value.
  5. In Customer.io, select Authenticate your Microsoft Azure account. You will be prompted to sign in using Azure. You will see a success banner upon completion or information to help you remedy any issues in your configuration.

SSO with OpenID

You can enable SSO for providers beyond Google, Okta, and Azure using our generic OpenID SSO option in Account Settings. OpenID SSO works with any provider that is compliant with OpenID Connect, such as OneLogin and Auth0.

On the Single Sign-on integration page, there are 4 options. The option for openid sso with openid connect is selected.
On the Single Sign-on integration page, there are 4 options. The option for openid sso with openid connect is selected.

Requirements

Like with other IdPs, these are the general requirements to get started:

  • Have an existing account with the provider
  • Have an Account Admin role in Customer.io, and
  • Disable “Require 2FA” for your Customer.io account

Set up OpenID SSO

  1. Configure your IdP:
    1. Register your app with your IdP.
    2. Configure the app.
    3. Create a client secret.
    4. Set up the login URL and redirect URI to send a user to the correct place after your identity provider verifies your users’ identities. The image below is an example from OneLogin.
  2. Set up your Customer.io account:
    1. Go to Account Settings > Security > Enable Single Sign-On (SSO).
    2. Select OpenID SSO with OpenID Connect.
    3. Fill in the following using the equivalent fields in your IdP:
      • OpenID Configuration Documentation URL
      • Client ID
      • Client Secret
    4. Select Authenticate. You’ll be prompted to sign in using your IdP. You will see a success banner upon completion or information to help you remedy any issues in your configuration.

SSO with SAML

You can enable SSO for some providers using our SAML option in Account Settings. We’ve tested our solution with a variety of providers. The table below shows the providers we’ve tested and whether or not they work with Customer.io.

Because our solution complies with the SAML 2.0 specification, it may work with other providers. Contact us if you need help with a specific provider.

ProviderSupported
Cloudflare
JumpCloud
OktaSee Set up SAML for Okta
Google
Azure
Auth0Not Tested
On the Single Sign-on integration page, there are 5 options. The option for SAML is selected.
On the Single Sign-on integration page, there are 5 options. The option for SAML is selected.

Requirements

To get started, you must

  • Have an existing account with an identity provider
  • Have an Account Admin role in Customer.io, and
  • Disable “Require 2FA” for your Customer.io account

Set up SAML

If you use Okta, see “Set up SAML for Okta” below. Otherwise,

  1. Register your app with your IdP.
    1. Set SAML Subject NameID Format to email address, just like the NameID.
  2. Set up your Customer.io account:
    1. Go to Account Settings > Security > Enable Single Sign-On (SSO).
    2. Select SAML 2.0.
    3. Paste in the Metadata URL from the equivalent field in your IdP.
    4. Select Generate your SAML SSO metadata.
  3. Finish configuring your IdP:
    1. Copy these fields from Customer.io and paste them into the corresponding fields in the SSO app you just made in your IdP:
      • Service Provider (SP) Entity ID
      • ACS URL
    2. Click Export SP Certificate in Customer.io then upload this to SP Certificate in your SSO app.
    3. Save your changes.

Provision access

After you’ve set up SAML SSO, decide how you want to manage team member access:

  1. Add your colleagues to both your IdP and Customer.io for them to successfully log into Customer.io or
  2. Set up System for Cross-domain Identity Management (SCIM) 2.0 provisioning so you only have to add/remove team members from your IdP

In either case, your team members must log in from Customer.io, not from within your IdP.

 We do not support Just-in-Time (JIT) provisioning.

Set up auto-provisioning

After authenticating your SSO provider, you can set up SCIM 2.0 provisioning to automate the management of your team members in Customer.io. Once enabled, you can automatically add and remove team members in Customer.io when they are added or removed from your identity provider.

  1. In Account Settings, go to your authenticated identity provider and click Enable SCIM 2.0.
  2. In your IdP, enable SCIM. The following instructions are for JumpCloud specifically, but apply across all SSO providers we support:
    1. Go to Applications > Identity Management > Configuration Settings.
    2. Choose SCIM API under API Type.
    3. Choose SCIM 2.0 under SCIM Version.
    4. Copy the Base URL and Token from Customer.io and paste them into the corresponding fields in your IdP.
    5. Enter a valid email address for your SSO under Test User Email. For the test to work, this address cannot already be a team member in Customer.io.
    6. Click Test Connection in the upper right. The test user will be created and deleted from Team Members in Customer.io.
    7. Toggle OFF Group Management; this is not supported through Customer.io’s implementation.
    8. Under Attribute Mapping, click exclude for passwords.
    9. Set the following fields and click include to the right of each:
      • UserName = Company Email
      • Name.FamilyName = Last Name
      • Name.GivenName = First Name
  3. Click Activate in the top right. SCIM 2.0 is now enabled on your account!
  4. Back in Customer.io, go to Team Members and you’ll see the users you’ve provisioned in your IdP. Change their roles and permissions from this screen; their level of access is managed within Customer.io, not your IdP.

Login

After you provision access for your team members, they must:

  1. Accept the invite email from Customer.io to join your account
  2. Go to Customer.io and log in; team members cannot log into Customer.io from within your IdP.

Set up SAML for Okta

To set up SAML for Okta, reach out to our support team for assistance.

Disable SSO

 Disabling SSO will affect all of your team members

After you disable SSO, we log your team members out which may interrupt their work and cause them to lose unsaved changes.

  1. Go to Account Settings > Security > Enable Single Sign-On (SSO).
  2. Click Disable and confirm the action.
  3. All team members will need to use Customer.io credentials to sign in moving forward.

 Do not sign up for a new account after SSO is disabled

If any of your team members do not have or remember their Customer.io credentials after disabling SSO, send password reset emails from Team Members. You must have the Account Admin role to do this.

Troubleshooting

I’m getting an error when I click Authenticate.

If you’re still getting an error after double checking your organization URL, client ID and client secret, check to see that you’ve added yourself to the Customer.io app.

I’m using an aliased email (i.e. ami+cio@customer.io) as my Customer.io login. Can I still SSO?

Yes. Simply update your username in your IdP to your aliased email in the scope of the Customer.io app.

For Google SSO: you can login using ami@customer.io and have access to CIO accounts linked to ami@customer.io, ami+cio@customer.io, etc.

For Okta, Azure, and other IdPs: it has to be a 1-to-1 match. If your account has ami+cio@customer.io, your CIO account must be ami+cio@customer.io (not ami@customer.io).

I’m unable to log in after SSO was enabled. What do I do?

The email address you use to log into Customer.io must match the email registered in your IdP. An Account Admin on your account can verify or update your email in Customer.io on the Team Management page.

Reach out to support at win@customer.io if you’re still experiencing issues logging in.

Copied to clipboard!
  Contents
Is this page helpful?