Skip to main content

Enabling single sign-on (SSO) for your organization

Learn about requesting single sign-on (SSO) for your organization, and access the PI software in the most secure, convenient way possible.

Updated today

The Predictive Index now offers single sign-on (SSO) setup for interested organizations. SSO is the most secure and convenient way for your team to access the PI platform.

This guide outlines the benefits of SSO, compatible identity providers (IdPs), and specific technical workflows to expect during setup.

Note: SSO is currently offered as part of a Closed Beta, meaning it is available on a limited basis and only to clients who explicitly opt in. To request SSO for your organization, please reach out via our in-software service agent.

Why enable single sign-on for PI?

Enabling SSO creates a secure, streamlined connection between the PI platform and your company's existing systems. This connection allows for:

  • Greater security: Centralize your access control. Your IT team can enforce consistent, strong security policies, such as multi-factor authentication (MFA), directly through your primary IdP.

  • Improved user experience: Users gain instant access to PI without interrupting their workflow. One set of credentials means fewer passwords to remember and less friction.

  • Reduced IT overhead: Decrease password-related support tickets by letting your internal IT team manage user provisioning and de-provisioning from a single source.

Note: Unlike logging in with Google or Microsoft, which is implemented on a per-user basis, SSO is applied organization-wide, allowing for greater control and security.

Compatibility: What IdPs does PI SSO support?

We can set up SSO for any PI2 clients that use a supported identity provider. See a full list of supported providers here. We are also working to integrate with all major enterprise Identity Providers using industry-standard protocols like SAML 2.0 and OpenID Connect (OIDC).

Our current support includes the most common enterprise solutions. Here’s a list of all options available today:

  • Microsoft Entra ID (formerly Azure AD) & Azure Active Directory Native

  • Okta

  • Google Workspace

  • Active Directory/LDAP & ADFS

  • PingIdentity & PingFederate

  • OneLogin

Note: If your organization uses an identity provider not listed here or supported via standard protocols, we are unable to support an SSO connection for your organization at this time.

What’s the difference between SSO and social login?

PI also offers login options via social providers like Google and Microsoft. It is important to distinguish between these two features.

  • SSO (enterprise access): This is for corporate security. It links the platform to your central corporate identity and is managed entirely by your internal IT team.

  • Social login (personal access): This is for individual convenience. It links PI to a user's individual third-party account and is managed by the user themself.

Technical workflows: What to expect

Before setting up SSO, we want to make sure you and your IT team have a clear picture of the setup workflow and the day-to-day experience for your users.

1. IT setup process

The setup process for the SSO Closed Beta is designed to be quick and collaborative. We use a self-service model powered by Auth0.

  • Step 1: Interest & eligibility - Your IT contact fills out our interest form with technical details. We verify that we can support your specific configuration.

  • Step 2: Configuration - Once verified, we send a one-time secure link from Auth0 to your IT contact. You will use this to configure the SSO connection. We estimate this will take about 30 minutes to complete, but the exact time depends on your IT team.

Note: We do not use a traditional SAML metadata file. The SAML connection is created manually inside this workflow.

  • Step 3: Verification - Once configured, you must test the login yourself.

  • Step 4: Go live - After you confirm a successful test login, reply to us to let us know. We will verify the setup on our end and officially mark the integration as complete.

2. User provisioning

This is the most important part of our configuration to understand. Our SSO solution manages authentication (logging in), not provisioning (creating users).

Creating new users: Even with SSO enabled, you still need to add new users within the PI software. Unfortunately, we can’t bypass that requirement for new users, even for SSO-enabled accounts. This ensures the user profile exists securely in our database before we map it to your IdP. However, new users won’t be prompted to set a password.

3. Login experience (SP-initiated)

With the exception of Okta, we can only configure service provider (SP)-initiated logins as of today. This means users will need to visit PI’s login page to access the software.

Here’s how users can log in to PI via their SP:

  1. Users navigate to the PI login page.

  2. They enter their email address.

  3. Our system recognizes that the email domain is SSO-enabled.

  4. The user is immediately redirected to your organization's IdP login page to authenticate.

  5. Upon authenticating, users will land on the PI dashboard.

IT tip: If your users are accustomed to launching apps from an IdP dashboard, you can manually add a bookmark link that points to the PI login page. However, remind users they will still need to enter their email once they land on our page to trigger the redirect.

4. Login experience (IdP-initiated)

If your organization does use Okta, you will be able to configure an identity provider (IdP)-initiated login.

Here’s how users can log in to PI via Okta:

  1. Users log in to Okta.

  2. They navigate to their Okta dashboard.

  3. They click the “Predictive Index” app tile.

  4. Users will land on the PI dashboard, bypassing the login screen completely.

IT tip: Looking to configure PI SSO via Okta? Learn about Okta’s Express Configuration here.

5. Offboarding & security

When an employee leaves or needs their access restricted:

  • Best practice: We encourage you to archive their employee record directly within the PI software to keep your user list clean.

  • Safety net: If you forget to archive users in PI, their access is still revoked. As long as you have disabled the user in your IdP, they cannot log in to PI. Our system will still recognize them as an SSO user and attempt to redirect them to you, where they will be blocked by your own security protocols.

IT tip: Okta also supports universal logout for added security. Learn about Okta’s Express Configuration here.

FAQs

Our organization currently uses Legacy PI. Can we get SSO?

We only support PI2 clients at this time.

Does PI’s SSO support user creation (JIT provisioning)?

No. Our SSO currently supports login only. New users must be added manually from the PI software.

What attributes must be passed during authentication?

PI’s SSO only requires email.

How do I get help with PI's SSO configuration?

If you hit a snag during the the self-serve setup process or you have specific questions about your configuration, please reach out to our support team via our in-software service agent.

Additional support

Did this answer your question?