Segment supports Single Sign On on our Business tier. You can use any SAML-based IDP (Okta, Bitium, OneLogin, Centrify) or GSuite to serve as your identity provider, delegating access to the application based on rules you set forth in your central identity management solution.
With SSO, you have centralized control over your users’ ability to authenticate or not in your IDP, and can also enforce rules like two-factor auth or password rotation at the IDP level.
You can configure as many IDP connections to your workspace as you’d like to support IDP-initiated authentication. This allows seamless migration from one system to a new one, for example (eg. if you switch IDP vendors or take the plunge and graduate from GSuite to a dedicated SAML IDP like Okta or OneLogin).
In order to support SSO-based authentication from the Segment login page, you’ll need to verify ownership of the domain that your users use for their email. Once you’ve done that, you can set a connection to the default and that will be the one used from the login page. Please note, only a single workspace can claim ownership of a domain, so if you have multiple workspaces and want to connect your IDP to each, you’ll only be able to use IDP-initiated SSO for your non-primary one.
Setup — SAML
Segment’s SSO configuration is entirely self-service; we don’t require any back and forth with our team in order to test and enable the feature on your workspace. However, we are here to help! Don’t hesitate to get in touchif you run into any questions or issues.
To get started, go to your workspace settings and choose the “Connections” tab under “Authentication” and click “Add New Connection.” Follow the steps to create a SAML connection.
Prepare your IDP for the connection.
To get started, you’ll need to create an application in your IDP. We’re in the process of rolling out officially supported apps with the most popular IDPs, but in the meantime you can create a custom SAML-based application.
Your provider will ask you for a few things from Segment, which we provide in the setup flow:
A few gotchas to look out for:
Different IDPs have different nomenclature for the Audience URL. Some call it “Audience URI,” some call it “Entity ID”, some call it “Service Provider Entity ID.” It’s likely there are only two required fields without correct defaults, and they correspond to the SSO URL and Audience URL values above.
In all IDPs we’ve worked with, the default NameID option is the correct one. Make sure it’s using the emailAddress schema.
In all IDPs we’ve worked with, the default connection encryption options are the correct ones. (Signed Response & Assertion Signature with SHA256, Unencrypted Assertions).
Different IDPs store records of your employees differently. The only attribute mapping we require is to make sure you’re sending
user.email. In Duo this is
Make sure you’ve enabled “send all attributes” (not just NameID) if applicable for your IDP.
No RelayState is required.
Once you’ve created the application in your IDP, you can come back to Segment and click “Next”.
Configure Segment to Talk to Your IDP.
Your IDP will provide a URL and x.509 certificate. Copy them into their respective fields in Segment.
Once you do that, click “Configure Connection.” You’re all set!
Test your connection with IDP-initiated SSO.
Back at the connections page, make sure your connection is enabled with the switch on the right.
You can now test via IDP-initiated SSO (by clicking login to Segment from within your IDP) is working correctly. If not, please double check the IDP configuration gotchas section above.
Setup — GSuite
GSuite configuration is incredibly simple with Segment. To get started, go to your workspace settings and choose the “Connections” tab under “Authentication” and click “Add New Connection.” Follow the steps to create a “Google Apps For Work” connection.
You simply enter your domain (or, if you’ve verified it already, choose it from the dropdown) and then click the resulting link to authorize the connection.
Enabling Segment-initiated login
Segment supports “interruption” on the login page for emails that match your workspace’s domain.
In order to enable this, you’ll need to verify your domain with Segment. To do that, go to the “Domains” tab under “Authentication” in the workspace settings page.
Enter your domain and click “Add Domain.” When you click verify, you’re given two options to verify your domain, either via a meta tag to add to your
/index.html at the root or a DNS txt record that you can add via your DNS provider. Once you do so and click verify, you’re ready to go!
Do you support automatic user provisioning?
Segment supports “just in time” user permissioning; new users who authenticate via your IDP are automatically created in Segment as read-only members.
If the user already exists in Segment then we will associate your IDP identity with your existing Segment user account.
Do you support automatic user de-provisioning?
No. However, since any non-owners must log in with SSO to access your workspace, once you remove their authorization in your IDP they will no longer be able to access your workspace.
Will my users still be able to log in with username and password?
Existing users who are workspace owners may still log in with workspace password to access your workspace. As we add more granular permission levels, we will maintain that only owners/admins can access your workspace when they log in with username and password.
Will my users lose access to their other workspaces when I enable SSO?
Segment allows users to own their own workspaces. While your IDP authentication will ensure that any non-owners must have logged in with SSO to access your workspace, they can still log into Segment with username and password to access their own workspaces.
Can read-only members access my workspace with username and password?
No. Only workspace owners can log in with username and password.
Can I still invite people outside the organization?
Workspace owners can invite additional owners with any domain via the traditional invite mechanism.