Managing Single Sign-On (SSO) Settings and Troubleshooting in Pipedrive
Single Sign-On (SSO) is a powerful tool for streamlining login processes and enhancing security within Pipedrive. This article will guide you through managing SSO settings, understanding login behaviors, and troubleshooting common issues.
Overview of Single Sign-On in Pipedrive
SSO allows users to log into Pipedrive using their Identity Provider (IDP) credentials. When enabled, users can access Pipedrive efficiently without relying on traditional email and password combinations. Additionally, there are options to fine-tune SSO behavior based on organizational needs by enabling or enforcing SSO settings, as outlined below.
Login Methods Based on SSO Settings
Enabling SSO Without Enforcement
When SSO is enabled but not enforced:
Users can log in using multiple methods, including: - "Login with Google" - "Via password" - "Login with SSO"
Other authentication methods remain available for flexibility, supporting diverse user preferences or roles.
Enforcing SSO
When SSO enforcement is enabled:
Users are restricted to logging in exclusively with their IDP credentials via the "Login with SSO" method.
Although the "Login with Google" button remains visible, selecting it redirects users to the IDP's login page.
Enforcement automatically applies to all users in an account, without the ability to selectively exclude individual users from enforcement.
Troubleshooting Login Issues
If users encounter issues logging in via SSO, consider the following checklist:
Verify SSO User Enablement: - Ensure SSO is switched on for users in your Pipedrive settings. If this toggle is off, SSO login will fail regardless of accurate configuration.
Check Enforcement Settings: - Determine whether SSO is enforced and inform users about restrictions on alternative login methods.
Review Domain Configurations: - Ensure the user’s domain is correctly incorporated into the SSO rules if enforcement is required. - For exceptions, check that the email domain is not listed as enforced.
Reset User Credentials: - If necessary, users can reset their password to regain access temporarily.
What happens if SSO breaks while enforced:
Users with enforced SSO are fully blocked from logging in.
If an admin is already logged in, their session remains valid for up to 30 days. Within that window they could navigate to Company settings > Single sign-on and disable enforcement.
If no one has an active session, the only option is to contact Pipedrive support to have enforcement disabled on the backend.
Key Takeaways
Enabling SSO without enforcing it provides flexibility for users to choose their login method.
Enforcing SSO restricts login exclusively to the IDP protocol for all users on enforced domains.
Exceptions are manageable when users operate on non-enforced domains, enabling them to bypass SSO.
SSO troubleshooting often involves verifying enablement toggles, domain configurations, and enforcement rules.
By understanding and applying these principles, administrators can effectively manage Single Sign-On settings within Pipedrive while maintaining a seamless and secure login experience for their teams.