# Single Sign-on (SSO)

Organizations that need enhanced security requirements can configure their Customer.io account to use Single Sign-on (SSO).

 To enable/disable SSO for your account, you must be an Account Admin.

## How to set up SSO[](#how-to-set-up-sso)

The process for configuring SSO will depend on your specific identity provider (IdP). Customer.io has dedicated integrations with the following providers and protocols:

*   [SSO with Google for organizations](#sso-with-google)
*   [SSO with Google for consumers](#sso-with-gmail)
*   [SSO with Okta](#sso-with-okta)—see *SSO with SAML 2.0* for another option
*   [SSO with Microsoft Entra](#sso-with-azure)
*   [SSO with OpenID SSO](#generic-sso)—works with a variety of providers
*   [SSO with SAML 2.0](#generic-saml)—works with Okta, Cloudflare, and JumpCloud

 We only support Service Provider (SP)-initiated SSO

This means your teammates must start the login process from Customer.io’s login page at [fly.customer.io/login](https://fly.customer.io/login), not from their identity provider’s app card or dashboard.

## Frequently Asked Questions[](#frequently-asked-questions)

**What is OpenID Connect and how does it differ from SAML?**

**OpenID Connect** is a security standard for logging into applications, built on the OAuth 2.0 protocol. It uses an additional JSON Web Token (JWT), called an ID token, to standardize areas that OAuth 2.0 leaves up to choice, such as scopes and endpoint discovery. It is specifically focused on user authentication and is widely used to enable user logins on consumer websites and mobile apps. Learn more about [OpenID Connect](https://openid.net/connect/faq/).

Security Assertion Markup Language - **SAML** - is also a widely used authentication protocol for logging into apps but built on the SAML 2.0 specification.

Unlike OpenID Connect, SAML allows you to include various attributes in the SAML statement sent to the SaaS application based on the mapping of attributes in your Identity Provider (IdP).

**How do I require 2FA with SSO?**

When you use SSO with Customer.io, you must enable 2FA within your identity provider. (Before you can enable SSO in Customer.io, you must disable [Customer.io’s 2FA feature](https://fly.customer.io/settings/security).)

*   [Require 2FA through Google](https://support.google.com/a/answer/9176657?hl=en)
*   [Enable 2FA in Okta](https://help.okta.com/en-us/Content/Topics/Security/mfa/mfa-factors.htm)
*   [Enable MFA in Microsoft Entra](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks)

**I’m able to log in with Google. Is that the same as Google SSO?**

No, it is not. “Log in with Google” is an option on the Customer.io sign-in page to quickly and securely log in, but team members can still use their email and password during sign-in. To block team members from signing in with an email/password, you must enable Google SSO on the [Account Security page](https://fly.customer.io/settings/security).

### Manage team members[](#manage-team-members)

**How do I add a new team member to my account after enabling SSO?**

For most integrations, you’ll need to add/remove team members from your IdP and add/remove them from Customer.io. Your team members must have matching email addresses across Customer.io and your IdP.

However, when you set up a SAML integration and enable SCIM, team members you add or remove from your IdP will automatically be added or removed from Customer.io. You can only manage roles and permissions within Customer.io.

In either case, a new team member will receive an email prompting them to log in. They won’t need to set a password, just enter their email into the Customer.io login page.

**Is there any sync between my Identity Provider (IdP) and the team member list in Customer.io?**

By default, no. You have to maintain access in both your IdP and Customer.io. However, if you enabled SCIM 2.0 on a SAML integration, your team member list will update based on those added and removed from your IdP automatically.

Keep in mind, you can only manage roles and permissions within Customer.io. Make sure your [team members](https://fly.customer.io/settings/team-members) have the right access.

**Can I manage team member roles through my Identify Provider (IdP)?**

It’s not possible to define a user’s permissions via your IdP. You can only manage a user’s permissions in Customer.io. [Manage team permissions](/journeys/add-remove-team-members/)

Reach out to support at [win@customer.io](mailto:win@customer.io) if you’re still experiencing issues with enabling SSO.

**I have two (or more) Customer.io accounts. Can I link both to my Identity Provider (IdP) account?**

Yes, you can, by adding two Customer.io applications within your IdP account. Repeat the steps that apply to your provider for each Customer.io account. Make sure the usernames in each app in your IdP match the corresponding usernames in Customer.io: [*Account Settings > Team Members*](https://fly.customer.io/settings/team).

**How do I force an account to log out?**

To invalidate someone’s active sessions in your Customer.io account, delete the team member from [*Account settings > Team Members*](https://fly.customer.io/settings/team).

**Do you support SLO?**

We do not support Single Logout (SLO) - the ability for someone to log out of one application which triggers a log out from all applications using the same credentials. For instance, your team member can’t log out of Customer.io and then trigger a log out of Salesforce.

## SSO with Google[](#sso-with-google-overview)

You can either set up organization-level SSO or consumer-level SSO with Google. If your company uses Google Workspace to manage your employees’ identities, you can set up [SSO with Google for organizations](#sso-with-google). If you use consumer-level Google accounts, like gmail addresses, check out [SSO with Google for consumers](#sso-with-gmail).

Learn more about [Google identity management](https://cloud.google.com/architecture/identity/overview-google-authentication).

### SSO with Google for organizations[](#sso-with-google)

If you’re using Google Workspace (formerly G Suite) to manage your employees’ identities, then you can enable organization-level SSO for teammates who use [Customer.io](http://customer.io). If you have a consumer-level Google account (like a gmail address), go to [SSO with Google for consumers](#sso-with-gmail).

To get started, you must:

*   Have a Google Workspace account
*   Be an [Account Admin](https://fly.customer.io/settings/team) in Customer.io
*   [Disable 2FA](https://fly.customer.io/settings/security) for logging into Customer.io

 Ensure your team members have Google Workspace identities

After you enable Google SSO, only team members in both your Google Workspace account and Customer.io will be able to log in. Any team members with an external email address won’t be able to log in until they are given an identity (email address) in Google Workspace and updated accordingly in Customer.io.

To enable SSO with Google Workspace:

1.  Make sure your [team members](https://fly.customer.io/settings/team) have email addresses that match those in your Google Workspace account.
2.  Go to [Account Settings > Security > Enable Single Sign-On](https://fly.customer.io/settings/security/sso) and click **Google SSO**.
3.  At the bottom of the page, click **Sign in with your Google account**. This will open a Google authorization window asking you to choose the account you’d like to use with Customer.io. *Make sure to choose the Google email account used by you and your team to log in—anyone with a different email domain will not be able to log in.*

After your complete setup, our system logs out all team members in Customer.io. They must sign in with Google moving forward; they can no longer sign in with username/password.

### SSO with Google for consumers[](#sso-with-gmail)

If you don’t have [organization-level Google SSO](#sso-with-google), you can sign in with a [**consumer account**](https://cloud.google.com/architecture/identity/overview-google-authentication#google_for_consumers). If you own a gmail address like `alice@gmail.com`, then your gmail account is a consumer account. Similarly, if you use the *Create account* link on the *Google Sign-In* page and during signup you provide a custom email address that you own, such as `alice@example.com`, then the resulting account is also a consumer account.

You can sign up to Customer.io using this method. But if you signed up using a username and password, you can link your Google account later.

To enable SSO with Google for your consumer account:

1.  Go to [**Settings** > **Personal Settings**](https://fly.customer.io/settings/personal) and click **Link Google Account**.
2.  Enter your password.

For future logins, you won’t be able to sign in with a username/password. Rather, you’ll click **Sign in with Google** to proceed.

By default, you will have to sign in with two-factor authentication via email. But you can change this to [2FA with an authentication app](https://fly.customer.io/settings/personal/security) in settings instead.

## SSO with Okta[](#sso-with-okta)

### Requirements[](#requirements)

To configure SSO with Okta, you must have:

*   an existing Okta account,
*   an Account Admin role in Customer.io, and
*   Disable “Require 2FA” for your Customer.io account.

### Supported Features[](#supported-features)

This implementation supports **User Authentication**. After a team member is added to your Customer.io account, they’ll be asked to authenticate with Okta in order to log in.

No other features (like profile sync, provisioning, etc.) are supported at this time.

### Okta SSO Configuration Steps[](#okta-sso-configuration-steps)

Setting up Okta SSO with Customer.io is a two-step process. You’ll first add the Customer.io Application to your Okta account. Then, you’ll configure your Customer.io security settings to connect to Okta.

 After setup is complete, team members will be **immediately** required to re-login to Customer.io using their Okta credentials. **Their current work may be interrupted.**

#### Part 1: Add Customer.io Application to Okta[](#okta-pt-1)

1.  Add Customer.io to your Okta account by going to your **Applications** page, clicking **Browse App Catalog** and searching for Customer.io.
    
    [![okta-sso-add.png](https://docs.customer.io/images/image%28492%29.png)](#0060c871651f7e2270639e87736f8929-lightbox)
    
2.  On the opened page, click **Add** to install the Customer.io integration.
    
    [![okta-sso-add.png](https://docs.customer.io/images/image%28562%29.png)](#90fd2572113f1f3414c658049376baa3-lightbox)
    
3.  You’ll be asked to provide an **Application label** (Customer.io) and configure whether the application should display to users or auto-submit with the browser plugin. Select your preference and click **Next** (these can be changed later).
    
    [![okta-sso-add-application-step-1.png](https://docs.customer.io/images/image%28487%29.png)](#670c2e24413abb604ea6e19ac6709a40-lightbox)
    
4.  Next, you’ll see **Step 2: Sign-On Options**. Select **OpenID Connect** and click **Done**.
    
    [![okta-sso-add-application-step-2.png](https://docs.customer.io/images/image%28488%29.png)](#93bd2d7361f965a76148c1e06297d7ea-lightbox)
    
5.  After you click **Done**, the application will be added to your Okta org and is ready to be assigned to your team members. Click **Assign** to add the team members or groups who will be accessing Customer.io, including yourself!
    
    [![okta-sso-add-people.png](https://docs.customer.io/images/image%28489%29.png)](#7ff82cb42a58f24ddbda68d6e9fadcf5-lightbox)
    
6.  Once you’ve added People, keep the Okta window open and move to Step 2 below.

#### Part 2: Configure Okta SSO in Customer.io[](#okta-pt-2)

1.  Open a new window and get ready to set up SSO in your Customer.io account. Log in to Customer.io and navigate to the [Security page](https://fly.customer.io/settings/security) of Account Settings.
2.  On the Security page, select **Configure SSO**.
3.  Select **Okta SSO with OpenID Connect** to show the configuration settings.
4.  In the Configuration form, enter the following information:
    1.  **Okta Organization URL**: This can be found in your Okta dashboard header and typically follows the format of https://\[companyname\].okta.com. [Learn more about Okta Org URLs](https://developer.okta.com/docs/guides/find-your-domain/findorg/).
        
        [![okta-organization-url.png](https://docs.customer.io/images/image%28490%29.png)](#ec14d44eb645df6ca002bdf015e2e8e2-lightbox)
        
    2.  **Okta Application Client ID and Client Secret**: Go back to your Okta window and look for the Client ID and Client Secret on the Sign On tab of the Customer.io Application.  
        
        [![okta-client-keys.png](https://docs.customer.io/images/image%28491%29.png)](#f4722e8b8742d1e59812a9d3092359ca-lightbox)
        
5.  Click **Authenticate your Okta account** to confirm the connection and enable SSO.
6.  Once the connection is authenticated, you’ve successfully enabled SSO for you and your team members.

## SSO with Microsoft Entra[](#sso-with-azure)

### Requirements[](#requirements-1)

To configure SSO with Entra ID, you must:

*   Have an existing Azure account
*   Have an Account Admin role in Customer.io, and
*   Disable “Require 2FA” for your Customer.io account

### Register a new app[](#register-a-new-app)

You can find more info on setup in Microsoft Entra’s [Quick Start Guide](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#register-an-application).

1.  Log into your Microsoft Azure account and go to **Microsoft Entra ID**.
    
    [![On the Azure landing page, there are three horizontal sections. The top section is titled Welcome to Azure! Below that is Azure services. And below that is Resources. Under Welcome to Azure, the second item from the left reads Manage Microsoft Entra ID with a button labeled View. Under Azure services, the second item from the left is Microsoft Entra ID, which you can also click to start setting up Azure SSO.](https://docs.customer.io/images/azure-sso-entra-id.png)](#9fcba1a5d6e6ee1465640aa5e43a68f2-lightbox)
    
2.  On the *Overview* page, click *Add* at the top and select **App registration**.
    
    [![On the left hand navigation, Overview is selected at the top. The first button on the top menu of the Overview page reads Add. This is selected and shows a dropdown. The last item of the dropdown is App registration.](https://docs.customer.io/images/azure-sso-new-registration.png)](#1ef36b1bee94d1f7643ea356d2257cf3-lightbox)
    
3.  Enter a display **Name** for your application. This helps you distinguish between your registered apps. This will not appear in Customer.io.
    
    [![The name is OpenID for customer.io. The selected account type is accounts in this organization directory only. No redirect URI is provided at the bottom of the form.](https://docs.customer.io/images/azure-sso-registration-form.png)](#89fd1f0eb1849b6bec3dcc39257348d8-lightbox)
    
4.  Click **Register** to complete initial setup.

### Configure your app[](#configure-your-app)

1.  To finish configuring your registered app, go to **Authentication > Add a platform**.
    
    [![Authentication is selected on the left hand menu. The button Add a platform is the first button on the page.](https://docs.customer.io/images/azure-sso-add-a-platform.png)](#2d32762c002b59834cb8717637680ad1-lightbox)
    
2.  Select **Web**.
3.  Add this redirect URI: [https://fly.customer.io/oauth2/redirect](https://fly.customer.io/oauth2/redirect).
4.  Select **Configure**.

### Add credentials[](#add-credentials)

1.  Select **Certificates & secrets > Client secrets > New client secret**.
    
    [![Certificates and secrets is selected in the left hand menu. The button New client secret is located under the tab Client secrets.](https://docs.customer.io/images/azure-sso-client-secret.png)](#67b81149e0ced6bb4febe21b1c9f6da9-lightbox)
    
2.  Enter a **Description** for your secret. Change the **Expiration** time period if you need.
    
     Keep track of your expiration timeline
    
    Customer.io doesn’t know when your client secret will expire. You’ll need to track your client secret’s expiration date outside Customer.io to maintain a smooth sign-in process
    
3.  Select **Add**.
    
    1.  Your client secret is under **Value**.
4.  Keep your Microsoft Azure account open to finish integrating with Customer.io.
    

### Finish setup in Customer.io[](#finish-setup-in-customerio)

1.  Go to [*Account Settings > Security > Enable Single Sign-On (SSO)*](https://fly.customer.io/settings/security/sso).
2.  Select **Entra ID SSO with OpenID Connect**.
    
    [![Below the selection of Azure SSO are three fields to fill in before you can authenticate your configuration.](https://docs.customer.io/images/azure-sso-configure-2.png)](#79f4f32f8c5a2e273df90e5e88ae45c6-lightbox)
    
3.  Back in *Microsoft Entra ID*, select **Overview** from the left-hand menu.
    1.  Then click **Endpoints** from the top menu. Copy the **OpenID Connect metadata document** and paste into **OpenID configuration document URL** in Customer.io. The URL should follow this pattern: `https://login.microsoftonline.com/{tenant_id}/v2.0/well-known/openid-configuration`.
    2.  Copy the **Application/Client ID** and paste into **Azure Active Directory Application Client ID** in Customer.io.
4.  In *Microsoft Entra ID*, select **Certificates & Secrets**.
    1.  Copy the **Value** of your client secret and paste into **Azure Active Directory Application Client Secret** in Customer.io. Your configuration will not authenticate if you use the Secret ID; make sure you use the Value.
5.  In **Customer.io**, select **Authenticate your Microsoft Azure Active Directory account**. You will be prompted to sign in using Azure. You will see a success banner upon completion or information to help you remedy any issues in your configuration.

## SSO with OpenID[](#generic-sso)

You can enable SSO for providers beyond Google, Okta, and Azure using our generic OpenID SSO option in [Account Settings](https://fly.customer.io/settings/security/sso). OpenID SSO works with any provider that is compliant with OpenID Connect, such as OneLogin and Auth0.

[![On the Single Sign-on integration page, there are 4 options. The option for openid sso with openid connect is selected.](https://docs.customer.io/images/openid-sso.png)](#e3575b46a4008141fd9073f23b33efdc-lightbox)

### Requirements[](#requirements-2)

Like with other IdPs, these are the general requirements to get started:

*   Have an existing account with the provider
*   Have an Account Admin role in Customer.io, and
*   Disable “Require 2FA” for your Customer.io account

### Set up OpenID SSO[](#set-up-openid-sso)

1.  Configure your IdP:
    1.  Register your app with your IdP.
    2.  Configure the app.
    3.  Create a client secret.
    4.  **Set up the login URL and redirect URI** to send a user to the correct place after your identity provider verifies your users’ identities. The image below is an example from OneLogin.
        *   **Login URL**: [https://fly.customer.io/login](https://fly.customer.io/login)
        *   **Redirect URI**: [https://fly.customer.io/oauth2/redirect](https://fly.customer.io/oauth2/redirect)
            
            [![the OneLogin interface showing the login URL and redirect URI](https://docs.customer.io/images/onelogin_openid.png)](#3766422d4ffa7b163e57d72aef86057f-lightbox)
            
2.  Set up your Customer.io account:
    1.  Go to [**Account Settings > Security > Enable Single Sign-On (SSO)**](https://fly.customer.io/settings/security/sso).
    2.  Select **OpenID SSO with OpenID Connect**.
    3.  Fill in the following using the equivalent fields in your IdP:
        *   OpenID Configuration Documentation URL
        *   Client ID
        *   Client Secret
    4.  Select **Authenticate**. You’ll be prompted to sign in using your IdP. You will see a success banner upon completion or information to help you remedy any issues in your configuration.

## SSO with SAML[](#generic-saml)

You can enable SSO for some providers using our SAML option in [Account Settings](https://fly.customer.io/settings/security/sso). The table below shows the providers we’ve tested and whether or not they work with Customer.io.

Because our solution complies with the SAML 2.0 specification, it may work with other providers. [Contact us](mailto:product@customer.io) if you need help with a specific provider.

Provider

Supported

Cloudflare

✅

JumpCloud

✅

Okta

✅

Google

❌

Azure

❌

Auth0

Not Tested

[![On the Single Sign-on integration page, there are 5 options. The option for SAML is selected.](https://docs.customer.io/images/saml-sso.png)](#d42ea6f3f19d186e43239280e8ad47f2-lightbox)

### Requirements[](#requirements-3)

To get started, you must be an Account Admin in Customer.io, and [disable 2FA](https://fly.customer.io/settings/security) for your Customer.io account.

### Set up SAML[](#set-up-saml)

Follow these steps for JumpCloud or Cloudflare. For Okta, check out their specific [instructions](#set-up-saml-for-okta) below.

1.  Register your app with Cloudflare or the IdP JumpCloud.
    1.  Set **SAML Subject NameID Format** to email address, just like the NameID.
2.  Set up your Customer.io account:
    1.  Go to [**Account Settings > Security > Enable Single Sign-On (SSO)**](https://fly.customer.io/settings/security/sso).
    2.  Select **SAML 2.0**.
    3.  Paste in the **Metadata URL** from the equivalent field in JumpCloud or Cloudflare.
    4.  Select **Generate your SAML SSO metadata**.
3.  Finish configuring your IdP:
    1.  Copy these fields from Customer.io and paste them into the corresponding fields in the SSO app you just made in your IdP:
        *   **Service Provider (SP) Entity ID**
        *   **ACS URL**
    2.  Click **Export SP Certificate** in Customer.io, and then upload this to *SP Certificate* in your SSO app.
    3.  **Save** your changes.

### Set up SAML for Okta[](#set-up-saml-for-okta)

1.  Set up your Customer.io account:
    1.  Go to [*Account Settings > Security > Enable Single Sign-On (SSO)*](https://fly.customer.io/settings/security/sso).
    2.  Select **SAML 2.0**.
    3.  Add a temporary link to the **Metadata URL**. We’ll update this later. It must start with `https://`.
    4.  Select **Generate your SAML SSO metadata**. You’ll see a banner indicating that team members must log in with SSO now. Note, if they’re already logged in, they won’t be kicked out.
2.  Create a SAML app in Okta’s Admin Console.
    1.  Go to *Applications > Applications*, and click on **Create App Integration**.
    2.  Select **SAML 2.0**, and click **Next**.
    3.  Enter an **App name** so you know it’s for Customer.io, and click **Next**.
    4.  In *SAML Settings*, set the **Single sign-on URL** as the *ACS URL* from Customer.io.
    5.  Set the **Audience URI** as the *SP Entity ID* from Customer.io.
    6.  Change **Application username** to Email, and then click **Next**.
    7.  Click **Finish**.
3.  Finish configuring Okta in Customer.io.
    1.  Click **Update metadata URL**, and type in the value from your Okta app.
    2.  Click **Save**.
4.  If applicable, continue to [Enable SCIM](#provision-access).

 You do not need to export the SP certificate from Customer.io to input into Okta.

### Provision access[](#provision-access)

After you’ve set up SAML SSO, decide how you want to manage team member access:

*   Add your colleagues to both your IdP and [Customer.io](/accounts-and-workspaces/add-remove-team-members/#add-team-members) for them to successfully log into Customer.io or
*   Set up [System for Cross-domain Identity Management (SCIM) 2.0 provisioning](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management) so you only have to add/remove team members from your IdP.

**In either case, your team members must log in from Customer.io, not from within your IdP.**

 We do not support [Just-in-Time (JIT) provisioning](https://jumpcloud.com/blog/difference-between-saml-sso-jit).

#### Set up auto-provisioning[](#scim-generic-saml)

**After authenticating your SSO provider**, you can set up SCIM 2.0 provisioning to automate the management of your team members in Customer.io. Once enabled, you can automatically add and remove team members in Customer.io when they are added or removed from your identity provider.

##### JumpCloud[](#jumpcloud)

1.  In [*Account Settings > Security > Enable Single Sign-On (SSO)*](https://fly.customer.io/settings/security/sso), go to your authenticated identity provider, and click **Enable SCIM**.
2.  In JumpCloud, go to *Applications > Identity Management > Configuration Settings*.
3.  Choose **SCIM API** under API Type.
4.  Choose **SCIM 2.0** under SCIM Version.
5.  Copy the **Base URL** and **Token** from Customer.io and paste them into the corresponding fields in your IdP.
6.  Enter a valid email address for your SSO under **Test User Email**. For the test to work, this address cannot already be a team member in Customer.io.
7.  Click **Test Connection** in the upper right. The test user will be created and deleted from Team Members in Customer.io.
8.  **Toggle OFF Group Management**; this is not supported through Customer.io’s implementation.
9.  Under Attribute Mapping, click **exclude** for passwords.
10.  Set the following fields and click **include** to the right of each:
    *   `UserName` = `Company Email`
    *   `Name.FamilyName` = `Last Name`
    *   `Name.GivenName` = `First Name`
11.  Click **Activate** in the top right. SCIM 2.0 is now enabled on your account!
12.  Back in Customer.io, go to [Team Members](https://fly.customer.io/settings/team) and you’ll see the users you’ve provisioned in your SAML app. Change their roles and permissions from this screen; their level of access is managed within Customer.io, not JumpCloud.

##### Cloudflare[](#cloudflare)

1.  In [*Account Settings > Security > Enable Single Sign-On (SSO)*](https://fly.customer.io/settings/security/sso), go to your authenticated identity provider, and click **Enable SCIM**.
2.  Go to Cloudflare One’s docs for more information on [Generic SAML applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas/).
3.  Back in Customer.io, go to [Team Members](https://fly.customer.io/settings/team) and you’ll see the users you’ve provisioned in your SAML app. Change their roles and permissions from this screen; their level of access is managed within Customer.io, not Cloudflare.

##### Okta[](#okta)

1.  In [*Account Settings > Security > Enable Single Sign-On (SSO)*](https://fly.customer.io/settings/security/sso), go to your authenticated identity provider, and click **Enable SCIM**.
    
2.  In Okta’s Admin Console, go to *Applications > Applications*, and click on your app.
    
3.  Go to the *General* tab, and select **SCIM** under *Provisioning*. Then click **Save**.
    
4.  Click the *Provisioning* tab, choose *Integration*, \*and fill in the info:
    
    *   **SCIM connector base URL**: paste in the Base URL from Customer.io.
    *   **Unique identifier field for users**: type in `email`.
    *   **Supported provisioning actions**: select Import New Users and Profile Updates, Push New Users, and Push Profile Updates.
    *   **Authentication Mode**: change to HTTP Header.
    *   **Authorization**: paste in the Token from Customer.io.
5.  Click **Save**.
    
6.  Click *To App* within the *Provisioning* tab, and choose **Edit**. Select these three options:
    
    *   Create Users
    *   Update User Attributes
    *   Deactivate Users
7.  Click **Save**.
    
8.  Finally, click the *Assignments* tab, and assign users as needed. User assignments sync to Customer.io.
    
    **Note, Okta does not automatically provision users assigned to the Okta application *from before* SCIM provisioning was in place.** It’s easiest to remove then re-add the user to the application to provision them.
    
9.  Back in Customer.io, go to [Team Members](https://fly.customer.io/settings/team) and you’ll see the users you’ve provisioned in your SAML app. Change their roles and permissions from this screen; their level of access is managed within Customer.io, not Okta.
    

### Login[](#login)

After you [provision access](#provision-access) for your team members, they must:

1.  Accept the invite email from Customer.io to join your account
2.  Go to Customer.io and log in; team members cannot log into Customer.io from within your IdP.

## Disable SSO[](#disable-sso)

 Disabling SSO will affect all of your team members

After you disable SSO, we log your team members out which may interrupt their work and cause them to lose unsaved changes.

1.  Go to [**Account Settings > Security > Enable Single Sign-On (SSO)**](https://fly.customer.io/settings/security/sso).
2.  Click **Disable** and confirm the action.
3.  All team members will need to use Customer.io credentials to sign in moving forward.

 Do not sign up for a new account after SSO is disabled

If any of your team members do not have or remember their Customer.io credentials after disabling SSO, send password reset emails from [Team Members](https://fly.customer.io/settings/team). You must have the Account Admin role to do this.

## Troubleshooting[](#troubleshooting)

**I’m getting an error when I click Authenticate.**

If you’re still getting an error after double checking your organization URL, client ID and client secret, check to see that you’ve added yourself to the Customer.io app.

**I’m getting an error when trying to log in using my identity provider’s app card.**

This is expected behavior. Customer.io only supports Service Provider (SP)-initiated SSO, which means you must start the login process from Customer.io’s login page at [fly.customer.io/login](https://fly.customer.io/login). You cannot log in directly from your identity provider’s app card or dashboard.

**I’m using an aliased email (like [ami+cio@customer.io](mailto:ami+cio@customer.io)) as my Customer.io login. Can I still SSO?**

Yes. Simply update your username in your IdP to your aliased email in the scope of the Customer.io app.

For Google SSO: you can login using `ami@customer.io` and have access to CIO accounts linked to `ami@customer.io`, `ami+cio@customer.io`, etc.

For [Okta](https://help.okta.com/oie/en-us/Content/Topics/Provisioning/Google/email-alias.htm), Azure, and other IdPs: it has to be a 1-to-1 match. If your account has `ami+cio@customer.io`, your CIO account must be `ami+cio@customer.io` (not `ami@customer.io`).

**I’m unable to log in after SSO was enabled. What do I do?**

The email address you use to log into Customer.io must match the email registered in your IdP. An Account Admin on your account can verify or update your email in Customer.io on the [Team Management page](https://fly.customer.io/settings/team).

Reach out to support at [win@customer.io](mailto:win@customer.io) if you’re still experiencing issues logging in.