Single Sign-on (SSO)

Organizations that need enhanced security requirements can configure their Customer.io account to use Single Sign-on (SSO). You must use a supported identity provider in order to enable SSO with Customer.io.

How to set up SSO

The process for configuring SSO will depend on your specific identity provider. Customer.io has dedicated integrations with the following providers:

Frequently Asked Questions

What is OpenID Connect?

OpenID Connect is a security standard for logging into applications, built on the OAuth 2.0 protocol. It uses an additional JSON Web Token (JWT), called an ID token, to standardize areas that OAuth 2.0 leaves up to choice, such as scopes and endpoint discovery. It is specifically focused on user authentication and is widely used to enable user logins on consumer websites and mobile apps. Learn more about OpenID Connect.

How do I add a new team member to my account after enabling SSO?

When a new team member is added through Customer.io to an SSO-enabled account, the new team member will receive an email prompting them to log in. On invite, they should not need to set or reset a password, but instead can directly enter their email into the Customer.io login page.

Can I manage team member roles through my Identify Provider?

It’s not possible to define a user’s permissions via your Identity Provider. You can only manage a user’s permissions in Customer.io. Manage team permissions

How do I require 2FA with SSO? Each team member’s individual 2FA setting is not enforced in Customer.io while Single Sign-On (SSO) is enabled. You must disable the 2FA Requirement feature in Customer.io if you wish to enable SSO. To add two-factor authentication in addition to enabling SSO in Customer.io, enable 2FA within the settings of your specific identity provider.

Require 2FA through Google Enable 2FA in Okta

I’m able to log in with Google. Is that the same as Google SSO? No, it is not. “Log in with Google” is an option on the Customer.io sign in page to quickly and securely log in, but team members can still use their email and password during sign in. To block team members from signing in with an email/password, you must enable Google SSO on the Account Security page.

I’m unable to log in after SSO was enabled. What do I do? The email address used to log into Customer.io must match the email registered in your IdP when you first log in. An admin on your account can verify or update your email in Customer.io on the Team Management page.

Reach out to support at win@customer.io if you’re still experiencing issues logging in.


SSO with Google

If you are using G Suite to manage your company email, then you can enable Google SSO in your Customer.io account. You must:

  • Have a G Suite account (public @gmail.com email accounts cannot set up SSO),
  • Have an Admin-level role in your Customer.io account, and
  • Disable “Require 2FA” for your Customer.io account.

Once setup is complete, members of your account will immediately be logged out and will need to login again using their Google-managed email address.

  1. Log in to your Customer.io account and navigate to Account Settings → Security.
  2. On the Security page, select Configure SSO to get started.
  3. In Step 1, select Google SSO
  4. In the next and final step, click to Authenticate your account. This will open a Google authorization window asking you to choose the account you’d like to use with Customer.io. Make sure to choose the email account used by you and your team to log in— anyone with a different Google email domain will not be able to log in.

     Check your team email addresses!

    Once Google SSO is enabled, only team members in your company G Suite account will be able to log in. Any team members with an external email address will not be able to log in until their emails are updated in Customer.io.

SSO with Okta

Requirements

To configure SSO with Okta, you must have:

  • an existing Okta account,
  • an Admin-level role in the Customer.io account, and
    • Disable “Require 2FA” for your Customer.io account.

Supported Features

This implementation supports User Authentication. After a team member is added to your Customer.io account, they’ll be asked to authenticate with Okta in order to log in.

No other features (ie profile sync, provisioning, etc) are supported at this time.

Okta SSO Configuration Steps

Setting up Okta SSO with Customer.io is a two step process. You’ll first add the Customer.io Application to your Okta account. Then, you’ll configure your Customer.io security settings to connect to Okta.

 Warning Before Enabling SSO

Once setup is complete, team members will be immediately required to re-login to Customer.io using their Okta credentials. Their current work may be interrupted.

Part 1: Add Customer.io Application to Okta

  1. Add Customer.io to your Okta account by clicking going to your Applications page and clicking Add Application.

    okta-sso-add.png
    okta-sso-add.png

  2. Search for Customer.io in the Application Search field and click Add.

  3. You’ll be asked to provide an Application label (Customer.io) and configure whether the application should display to users or auto-submit with the browser plugin. Select your preference and click Next (these can be changed later).

    okta-sso-add-application-step-1.png
    okta-sso-add-application-step-1.png

  4. Next, you’ll see Step 2: Sign-On Options. Select OpenID Connect and click Done.

    okta-sso-add-application-step-2.png
    okta-sso-add-application-step-2.png

  5. Once you click Done, the application will be added to your Okta org and is ready to be assigned to your team members. Click Assign to add the team members or groups who will be accessing Customer.io, including yourself!

    okta-sso-add-people.png
    okta-sso-add-people.png

  6. Once you’ve added People, keep the Okta window open and move to Step 2.

Part 2: Configure Okta SSO in Customer.io

  1. Open a new window and get ready to set up SSO in your Customer.io account. Log in to Customer.io and navigate to the Security page of Account Settings.
  2. On the Security page, select Configure SSO to get started.
  3. Select Okta SSO with OpenID Connect to show the configuration settings.
  4. In the Configuration form, enter the following information:
    1. Okta Organization URL: This can be found in your Okta dashboard and typically follows the format of https://companyname.okta.com. Learn more about Okta Org URLs.
      okta-organization-url.png
      okta-organization-url.png
    2. Okta Application Client ID and Client Secret: Go back to your Okta window and look for the Client ID and Client Secret on the Sign On tab of the Customer.io Application.
      okta-client-keys.png
      okta-client-keys.png
  5. Click Authenticate your Okta account to confirm the connection and enable SSO.
  6. Once the connection is authenticated, you’ve successfully enabled SSO for you and your team members.

Troubleshooting

I’m getting an error when I click Authenticate. If you’re still getting an error after double checking your organization URL, client ID and client secret, check to see that you’ve added yourself to the Customer.io app in Okta (Part 1, Step 5).

I’m using an aliased email (ie ami+cio@customer.io) as my Customer.io login. Can I still SSO with Okta?

Yes, you can, by updating your username in Okta within the scope of the Customer.io app to your aliased email. More information on how to do this is available in Okta’s documentation.

I have two (or more) Customer.io accounts. Can I link both to my Okta account?

Yes, you can, by adding two Customer.io applications within your Okta account. You can do so by repeating the steps above twice, one for each Customer.io account, and making sure the usernames for each app in Okta are updated to match each corresponding CIO user login.

Is there any sync between Okta and the team member list in Customer.io?

No, there is no profile or team list sync between Okta and Customer.io. You can only update a team member’s name or role in Customer.io. Manage team members

How do I add a new team member to my account after enabling SSO?

When a new team member is added through Customer.io to an SSO-enabled account, the new team member will receive an email prompting them to log in. On invite, they should not need to set or reset a password, but instead can directly enter their email into the Customer.io login page.

Can I manage team member roles through Okta?

It’s not possible to define a user’s permissions via Okta. You can only manage a user’s permissions in Customer.io. Manage team permissions

Reach out to support at win@customer.io if you’re still experiencing issues with enabling SSO.

Copied to clipboard!