Overview
Pattern PXM is a cloud-based Product Experience Management platform designed to help product brands rapidly organize, convert, manage, and share marketing content and digital assets. This article summarizes the concepts and setup of Pattern PXM Single Sign-On (SSO) via SAML 2.0.
Benefits of enabling SSO:
Single Sign-On capabilities and enhanced security
Pattern PXM opens immediately for authenticated users and remembers user collections
Admins can view full user access history
Streamlined bulk user onboarding
Fast user access and broad system usability
Single Sign-On (SSO)
Enterprise single sign-on allows employees to access all company applications with one set of credentials. Depending on the organization, credentials may include email address, phone number, or username combined with a password. The company routes all logins through an Identity Provider (IDP) for which a license has been purchased. The IDP typically hosts a login page where employees enter corporate credentials before accessing any application.
Single Sign-On provides stronger security through a central authentication point, significantly reducing the risk of phishing attacks.
How enterprise SSO works with Pattern PXM
When enterprise SSO is enabled, user authentication is handled externally — bypassing Pattern PXM's native login. When users navigate to your Pattern PXM sign-in page or follow a link to Pattern PXM, they are authenticated by signing into your corporate server or a third-party identity provider.
The sign-in flow follows this sequence:
Users navigate to your Pattern PXM subdomain.
If not already authenticated, users are redirected to your corporate server or third-party identity provider login page.
Users enter their sign-in credentials.
If valid, users are redirected back to the Pattern PXM home page.
Note: Users can also initiate the sign-on process from your corporate server or third-party identity provider sign-in page. They will be authenticated automatically when accessing Pattern PXM. All users access Pattern PXM using enterprise single sign-on. User accounts must exist within Pattern PXM to allow access — new employees must be created using their email address in Pattern PXM.
The advantage of enterprise SSO is complete control over user authentication behind your firewall. You authenticate users once against your own system, then grant access to many corporate resources — both inside and outside your firewall — without requiring separate sign-ins for each service.
By default, Pattern PXM stores only the user's name and email address. Pattern PXM does not store user passwords.
SAML 2.0
About SAML
Secure Assertion Markup Language (SAML) is not enabled by default and requires proper licensing to activate. SAML is supported by many identity provider services, including Okta, Microsoft Active Directory, and LDAP.
Implementing SSO via SAML means the sign-in process and user authentication are handled entirely outside of Pattern PXM. Users sign in to the corporate system and click a link to access Pattern PXM, where they are automatically signed in — no separate credentials required.
Pattern PXM supports SAML on Professional and Enterprise editions.
How SAML works with Pattern PXM
Your users belong to a corporation where all authentication is managed by your corporate authentication system (e.g., Microsoft Active Directory or LDAP) — referred to as the Identity Provider (IdP).
Pattern PXM, acting as the Service Provider (SP), establishes a trust relationship with the IdP and allows the external IdP to authenticate users, then seamlessly sign them in.
A user signs in at work and then has automatic access to many corporate applications — email, CRM, Pattern PXM, and more — without separate sign-in steps.
All user authentication is handled internally by a system you fully control.
Once SAML is enabled, users who visit your Pattern PXM account and attempt to sign in are redirected to your SAML server for authentication. Once authenticated, users are redirected back to Pattern PXM and signed in automatically.
Returning visitors are automatically authenticated if their SAML assertions are cached. Assertions are packets of security information used to make access-control decisions.
New user provisioning
A Pattern PXM user profile is automatically created for any new user who accesses your Pattern PXM account through SAML. Because they authenticate with a non-Pattern PXM password, the profile is created without a password — no separate Pattern PXM credentials are needed.
Configuring your SAML implementation
You have several options when choosing a SAML service, including building a SAML server in-house (e.g., OpenAM) or selecting a SAML service such as Okta, OneLogin, or PingIdentity.
Prerequisites
A SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory or LDAP
The Remote Login URL for your SAML server (sometimes called the SAML Single Sign-On URL)
The SHA1 or SHA2 fingerprint of the SAML certificate from your SAML server — X.509 certificates in PEM or DER format are supported
Once your SAML server is properly configured, provide the remote login URL and SHA fingerprint to the Pattern PXM support team to complete configuration.
Required profile data
The following field attributes are required in your SAML user token (case-sensitive):
email— Requiredfirstname— Requiredlastname— Requiredphone— Optionallanguage_code— Optional (ISO 639-1 code)
SAML configuration values
Assertion Consumer Service (ACS) URL:
https://saml.pxm.pattern.com/saml/module.php/saml/sp/saml2-acs.php/[companyname]
Where [companyname] is the name/alias of your organization.
Pattern PXM instance URL:
https://companyname.pxm.pattern.com
Entity ID:
companyname (the name/alias of your organization)
Additional configuration notes:
Redirects to SAML Single Sign-On URL use HTTPS POST
Hashing algorithm (ADFS): Pattern PXM supports both SHA-1 and SHA-2 (SHA-256) when using Active Directory Federation Services
ADFS: Only Forms Based Authentication is supported. Integrated Windows Authentication is not currently supported.
Microsoft Azure AD setup guide
Before you begin: Contact your Pattern PXM support or onboarding team to obtain the following organization-specific values before configuring Azure AD:
Entity ID
Reply URL (your full Pattern PXM subdomain, no trailing slash)
SAML Token Attributes (see Required Profile Data above)
Once setup is complete, you will need to provide the Metadata XML generated in Azure AD to the Pattern team to fully activate SSO for your organization.
Step-by-step configuration
Step 1 — Log in to Azure AD Admin Center
Sign in to the Microsoft Azure AD Admin Center with your administrator credentials.
Step 2 — Navigate to Enterprise Applications
From the left navigation menu, select Enterprise Applications.
Step 3 — Create a new application
Click + New application to begin adding a new enterprise application.
Step 4 — Select Non-Gallery Application
Choose Non-gallery application from the application type options.
Step 5 — Name the application
Specify a descriptive name for the application, such as Pattern PXM.
Step 6 — Configure SAML and Entity ID
Select SAML as the single sign-on method. Enter the Entity ID as provided by your Pattern PXM onboarding team.
Step 7 — Define SAML token attributes
Map the required SAML token attributes to your directory attributes (email, firstname, lastname, and any optional fields). Refer to the Required Profile Data section above.
Step 8 — Download Metadata XML and send to Pattern
Download the Federation Metadata XML file generated by Azure AD. Send this file to your Pattern PXM support or onboarding contact to complete the SSO activation.
Step 9 — Assign users and groups
Once SSO is activated, assign the appropriate users and groups in Azure AD to grant them access to Pattern PXM through the enterprise application.
For additional support, contact your Pattern PXM onboarding team or visit pxm.pattern.com.