Single Sign-on (SSO)

Organizations that need enhanced security requirements can configure their Customer.io account to use Single Sign-on (SSO).

How to set up SSO

The process for configuring SSO will depend on your specific identity provider (IdP). Customer.io has dedicated integrations with the following providers:

Frequently Asked Questions

What is OpenID Connect?

OpenID Connect is a security standard for logging into applications, built on the OAuth 2.0 protocol. It uses an additional JSON Web Token (JWT), called an ID token, to standardize areas that OAuth 2.0 leaves up to choice, such as scopes and endpoint discovery. It is specifically focused on user authentication and is widely used to enable user logins on consumer websites and mobile apps. Learn more about OpenID Connect.

How do I add a new team member to my account after enabling SSO?

When a new team member is added through Customer.io to an SSO-enabled account, the new team member will receive an email prompting them to log in. On invite, they should not need to set or reset a password, but instead can directly enter their email into the Customer.io login page.

You’ll need to add team members to your identity provider and Customer.io using a matching email address.

Can I manage team member roles through my Identify Provider?

It’s not possible to define a user’s permissions via your IdP. You can only manage a user’s permissions in Customer.io. Manage team permissions

Reach out to support at win@customer.io if you’re still experiencing issues with enabling SSO.

How do I require 2FA with SSO?

Each team member’s individual 2FA setting is not enforced in Customer.io while Single Sign-On (SSO) is enabled. You must disable the 2FA Requirement feature in Customer.io if you wish to enable SSO. To add two-factor authentication in addition to enabling SSO in Customer.io, enable 2FA within the settings of your specific identity provider.

I’m able to log in with Google. Is that the same as Google SSO?

No, it is not. “Log in with Google” is an option on the Customer.io sign-in page to quickly and securely log in, but team members can still use their email and password during sign-in. To block team members from signing in with an email/password, you must enable Google SSO on the Account Security page.

SSO with Google

If you are using G Suite to manage your company email, then you can enable Google SSO in your Customer.io account. You must:

  • Have a G Suite account (public @gmail.com email accounts cannot set up SSO),
  • Have an Admin-level role in your Customer.io account, and
  • Disable “Require 2FA” for your Customer.io account.

After setup is complete, members of your account will immediately be logged out and will need to log in again using their Google-managed email address.

To enable SSO with Google:

  1. Log in to your Customer.io account and navigate to Account Settings → Security.
  2. On the Security page, select Configure SSO to get started.
  3. In Step 1, select Google SSO.
  4. In the next and final step, click Authenticate your account. This will open a Google authorization window asking you to choose the account you’d like to use with Customer.io. Make sure to choose the email account used by you and your team to log in — anyone with a different Google email domain will not be able to log in.

 Check your team email addresses!

After Google SSO is enabled, only team members in your company G Suite account will be able to log in. Any team members with an external email address will not be able to log in until their emails are updated in Customer.io.

SSO with Okta

Requirements

To configure SSO with Okta, you must have:

  • an existing Okta account,
  • an Admin-level role in the Customer.io account, and
  • Disable “Require 2FA” for your Customer.io account.

Supported Features

This implementation supports User Authentication. After a team member is added to your Customer.io account, they’ll be asked to authenticate with Okta in order to log in.

No other features (i.e. profile sync, provisioning, etc.) are supported at this time.

Okta SSO Configuration Steps

Setting up Okta SSO with Customer.io is a two-step process. You’ll first add the Customer.io Application to your Okta account. Then, you’ll configure your Customer.io security settings to connect to Okta.

 After setup is complete, team members will be immediately required to re-login to Customer.io using their Okta credentials. Their current work may be interrupted.

Part 1: Add Customer.io Application to Okta

  1. Add Customer.io to your Okta account by going to your Applications page, clicking Browse App Catalog and searching for Customer.io.

    okta-sso-add.png
    okta-sso-add.png

  2. On the opened page, click Add to install the Customer.io integration.

    okta-sso-add.png
    okta-sso-add.png

  3. You’ll be asked to provide an Application label (Customer.io) and configure whether the application should display to users or auto-submit with the browser plugin. Select your preference and click Next (these can be changed later).

    okta-sso-add-application-step-1.png
    okta-sso-add-application-step-1.png

  4. Next, you’ll see Step 2: Sign-On Options. Select OpenID Connect and click Done.

    okta-sso-add-application-step-2.png
    okta-sso-add-application-step-2.png

  5. After you click Done, the application will be added to your Okta org and is ready to be assigned to your team members. Click Assign to add the team members or groups who will be accessing Customer.io, including yourself!

    okta-sso-add-people.png
    okta-sso-add-people.png

  6. Once you’ve added People, keep the Okta window open and move to Step 2 below.

Part 2: Configure Okta SSO in Customer.io

  1. Open a new window and get ready to set up SSO in your Customer.io account. Log in to Customer.io and navigate to the Security page of Account Settings.
  2. On the Security page, select Configure SSO.
  3. Select Okta SSO with OpenID Connect to show the configuration settings.
  4. In the Configuration form, enter the following information:
    1. Okta Organization URL: This can be found in your Okta dashboard header and typically follows the format of https://[companyname].okta.com. Learn more about Okta Org URLs.
      okta-organization-url.png
      okta-organization-url.png
    2. Okta Application Client ID and Client Secret: Go back to your Okta window and look for the Client ID and Client Secret on the Sign On tab of the Customer.io Application.
      okta-client-keys.png
      okta-client-keys.png
  5. Click Authenticate your Okta account to confirm the connection and enable SSO.
  6. Once the connection is authenticated, you’ve successfully enabled SSO for you and your team members.

SSO with Microsoft Azure

Requirements

To configure SSO with Azure, you must:

  • Have an existing Azure account
  • Have an Admin-level role in your Customer.io account
  • Disable “Require 2FA” for your Customer.io account

Register a new app

You can find more info on setup in Microsoft Azure’s Quick Start Guide.

  1. Log into your Microsoft Azure account and go to Azure Active Directory (Azure AD).
  2. Under Manage, select App registrations > New registration.
    Applications is selected on the left hand menu. The button for New Registration is the first tab on the Applications page.
    Applications is selected on the left hand menu. The button for New Registration is the first tab on the Applications page.
  3. Enter a display Name for your application. This helps you distinguish between your registered apps in Azure. This will not appear in Customer.io.
    The name is OpenID for customer.io. The selected account type is accounts in this organization directory only. No redirect URI is provided at the bottom of the form.
    The name is OpenID for customer.io. The selected account type is accounts in this organization directory only. No redirect URI is provided at the bottom of the form.
  4. Click Register to complete initial setup.

Configure your app

  1. To finish configuring your registered app, go to Authentication > Add a platform.
    Authentication is selected on the left hand menu. The button Add a platform is the first button on the page.
    Authentication is selected on the left hand menu. The button Add a platform is the first button on the page.
  2. Select Web.
  3. Add this redirect URI: https://fly.customer.io/oauth2/redirect.
  4. Select Configure.

Add credentials

  1. Select Certificates & secrets > Client secrets > New client secret.

    Certificates and secrets is selected in the left hand menu. The button New client secret is located under the tab Client secrets.
    Certificates and secrets is selected in the left hand menu. The button New client secret is located under the tab Client secrets.

  2. Enter a Description for your secret. Change the Expiration time period if you need.

     Keep track of your expiration timeline

    Customer.io doesn’t know when your client secret will expire. You’ll need to track your client secret’s expiration date outside Customer.io to maintain a smooth sign-in process

  3. Select Add.

    1. Your client secret is under Value.

  4. Keep your Microsoft Azure account open to finish integrating with Customer.io.

Finish setup in Customer.io

  1. Go to Account Settings > Security > Enable Single Sign-On (SSO).
  2. Select Azure SSO with OpenID Connect.
    Below the selection of Azure SSO are three fields to fill in before you can authenticate your configuration.
    Below the selection of Azure SSO are three fields to fill in before you can authenticate your configuration.
  3. Back in Microsoft Azure AD, select Overview from the left hand menu.
    1. Then click Endpoints from the top menu. Copy the OpenID Connect metadata document and paste into Azure Issuer URL in Customer.io. The URL should follow this pattern: https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration.
    2. Copy the Application/Client ID and paste into Azure Application Client ID in Customer.io.
  4. In Microsoft Azure AD, select Certificates & Secrets.
    1. Copy the Value of your client secret and paste into Azure Application Client Secret in Customer.io. Your configuration will not authenticate if you use the Secret ID; make sure you use the Value.
  5. In Customer.io, select Authenticate your Microsoft Azure account. You will be prompted to sign in using Azure. You will see a success banner upon completion or information to help you remedy any issues in your configuration.

SSO with OpenID

You can enable SSO for providers beyond Google, Okta, and Azure using our generic OpenID SSO option in Account Settings. OpenID SSO works with any provider that is compliant with OpenID Connect, such as OneLogin and Auth0.

On the Single Sign-on integration page, there are 4 options. The option for openid sso with openid connect is selected.
On the Single Sign-on integration page, there are 4 options. The option for openid sso with openid connect is selected.

Requirements

Like with other IdPs, these are the general requirements to get started:

  • Have an existing account with the provider
  • Have an Admin-level role in your Customer.io account
  • Disable “Require 2FA” for your Customer.io account

Set up OpenID SSO

  1. Configure your IdP:
    1. Register your app with your IdP.
    2. Configure the app.
    3. Create a client secret.
  2. Set up your Customer.io account:
    1. Go to Account Settings > Security > Enable Single Sign-On (SSO).
    2. Select OpenID SSO with OpenID Connect.
    3. Fill in the following using the equivalent fields in your IdP:
      • OpenID Configuration Documentation URL
      • Client ID
      • Client Secret
    4. Select Authenticate. You’ll be prompted to sign in using your IdP. You will see a success banner upon completion or information to help you remedy any issues in your configuration.

Disable SSO

 Disabling SSO will affect all of your team members

After you disable SSO, we log your team members out which may interrupt their work and cause them to lose unsaved changes.

  1. Go to Account Settings > Security > Enable Single Sign-On (SSO).
  2. Click Disable and confirm the action.
  3. All team members will need to use Customer.io credentials to sign in moving forward.

 Do not sign up for a new account after SSO is disabled

If any of your team members do not have or remember their Customer.io credentials after disabling SSO, send password reset emails from Team Members. You must have the Admin role to do this.

Troubleshooting

I’m getting an error when I click Authenticate.

If you’re still getting an error after double checking your organization URL, client ID and client secret, check to see that you’ve added yourself to the Customer.io app.

I’m using an aliased email (i.e. ami+cio@customer.io) as my Customer.io login. Can I still SSO?

Yes. Simply update your username in your IdP to your aliased email in the scope of the Customer.io app.

For Google SSO: you can login using ami@customer.io and have access to CIO accounts linked to ami@customer.io, ami+cio@customer.io, etc.

For Okta, Azure, and other IdPs: it has to be a 1-to-1 match. If your account has ami+cio@customer.io, your CIO account must be ami+cio@customer.io (not ami@customer.io).

I have two (or more) Customer.io accounts. Can I link both to my IdP account?

Yes, you can, by adding two Customer.io applications within your IdP account. You can do so by repeating the steps above twice, one for each Customer.io account, and making sure the usernames for each app in your IdP are updated to match each corresponding CIO user login.

Is there any sync between my IdP and the team member list in Customer.io?

No, there is no profile or team list sync between the two. You can only update a team member’s name or role in Customer.io. Manage team members

I’m unable to log in after SSO was enabled. What do I do?

The email address you use to log into Customer.io must match the email registered in your IdP. An admin on your account can verify or update your email in Customer.io on the Team Management page.

Reach out to support at win@customer.io if you’re still experiencing issues logging in.

Copied to clipboard!
  Contents
Is this page helpful?