Introducing SAML & Single Sign-On
Security Assertion Markup Language (SAML) is a security standard for logging into applications. Single Sign-On (SSO) allows users to log in to many applications or websites via one set of login details. This is commonly used in larger companies.
Only Team Owners and Admins are allowed to configure SAML/SSO logins for your workspace.
SAML and Single Sign-On (SSO) are only available on the Enterprise subscription to enable easier logins for your workspace members.
How SAML SSO works in Piktochart
The Workspace Owner sets up SAML SSO.
Piktochart creates a SAML request and sends this to the identity provider (IdP).
The IdP checks your credentials to confirm they are correct.
The IdP sends a response to Piktochart to verify your identity.
Piktochart accepts the response and logs you into our system.
Initial setup of SAML Single Sign-On
You might need help from your IT team/department for this technical setup.
- Select Account Settings from the drop-down menu on the top right corner of the page
- Go to the Workspace Settings → select Security.
Step 1: Enter your company domain (e.g. piktochart.com).
- Anyone with a similar subdomain email that doesn’t match such as dev.piktochart.com is not considered the same company domain.
- Generic domain emails e.g. gmail.com are not accepted.
Step 2: Key in the respective fields in your IdP
- Audience (Entity ID) - https://create.piktochart.com/
- ACS (Consumer) URL - https://create.piktochart.com/users/auth/saml/callback
- NameId Format - Email Address
And map the following attribute statements in your IdP:
- "email" (user's email)
- "name" (user's name)
Step 3: Upload your SSO Provider XML file or fill up manually the SSO URL and SSO Certificate.
Step 4: Create a TXT record of the DNS token using your domain host. You can insert an email address to receive a notification when domain verification is completed.
All set! SAML SSO is going through the verification process and it may take up to 72 hours, depending on your domain host.
Updating SAML Single Sign-On
Piktochart allows you to easily edit the existing SAML SSO configuration using the Security section in the Workspace settings. This section enables customers to:
- Upload a new SSO provider metadata XML file
- Specify a new IdP target authentication URL
- Insert a new IdP certificate
- Enable/disable SAML authentication
- toggle enforcement of SAML login to all team members
The security section of the settings is only available to the workspace (team) owner.
- Select Account Settings from the drop-down menu on the top right corner of the Dashboard
- Select Security under Workspace Settings
SAML Single Sign-On settings will be displayed on the screen:
To change the settings, simply toggle the buttons or Click the
Edit configuration button to proceed with the additional configuration:
How do I deactivate users?
You need to access your IdP to deactivate users. Deactivating a user in your IdP removes the user’s access to log in via SAML SSO. However, the user can still log in using the email/password method.
Why am I receiving a verification error?
You may see errors such as these if your verification has failed:
- SAML SSO verification failed
- Status: Verification in progress. Make sure you have already entered TXT token in your DNS record.
- Status: Invalid.
To resolve this, go to Edit Configuration to re-verify, make sure you have entered the TXT token in your DNS record, or delete your configuration and try again.
Why am I receiving an error message when trying to log in using SAML SSO?
There are a few possibilities:
- Using Gmail: If you are currently using Gmail for your login, you’ll need to change your email address to match your company domain email that is verified for SAML SSO.
- Domain email doesn’t match: Your domain email is not the same as the company domain e.g. dev.piktochart.com instead of piktochart.com.
- In-progress configuration: If another team owner from the same company configures for the same company domain, you’ll experience an error when trying to set up SAML SSO. This can happen during the verification process and you’ll see this error message "This domain has already been set up for SAML".
I am a new user in Piktochart. My company has set up SAML. How can I log in via SAML?
If you have not created an account in Piktochart, you will need to first create an account. Once this account has been confirmed, you will be able to use SAML SSO for subsequent logins.
How do I check if my configuration in IDP (Identity Provider) is correct?
In order for SAML SSO to work, the attribute statements in your IdP have to be mapped correctly. If you're having issues with the configuration, here are some simple steps to check if they are correct:
Install Chrome extension - SAML, WS-Federation, and OAuth 2.0 tracer
Pin the Chrome extension
Sign in with SAML SSO: https://create.piktochart.com/saml_sessions
Check the log produced by the extension by clicking on the extension logo,
Then, you will see this list of logs:
Double Click on HTTP POST where the destination is https://create.piktochart.com/users/auth/saml/callback. Then, you will see the raw message where you can validate the attributes. You might need to scroll down and look for the attributes.
The correct attributes are as follows:
If the attributes are not correct, for example, there is no <saml2:Attribute Name="email"> being sent or <saml2:Attribute Name="email"> value is not email then you need to check your IdP settings or with your IdP support.
If you need help with validation, you can download the raw file and send it to our Support Team. We're always happy to assist you!