SSO for Pantheon Organizations
Learn how to enable SAML single sign-on for your organization.
This section provides information on SSO workflow on Pantheon, as well as authentication and IdP configuration requirements.
The SSO user experience for members and external members is outlined in the sections below. Note that the distinction between members and external members is determined by the email domain used to access Pantheon.
Members of an SSO Organization
Members of an SSO-enabled organization have an email address that includes the organization's email domain, for example, @xmail.com. You can think of these members as internal members of the organization. Members of an SSO organization experience the following process:
User submits the Pantheon login form with their email address.
User is redirected to the configured IdP.
The IdP authenticates the user and then redirects the user to Pantheon.
SAML applies to an entire email domain when enabled on Pantheon. You cannot use SAML on a per-site, per-environment, or per-user basis.
External Members
An external member is anyone in the organization using an email address on a different domain than what's configured for SSO, for example, @ymail.com. New and existing external members of the organization are not affected when SSO is enabled. External users are not redirected to the configured IdP and experience no change in behavior when logging in. External members experience the following process:
User submits the Pantheon login form with their email address.
User is authenticated and taken to Pantheon.
Terminus Authentication
Users in a SAML-enabled Pantheon organization can authenticate via Terminus by using machine tokens.
Manage Users
Pantheon organization administrators can manage sites and teams with the workspace. Automated user provisioning isn't available.
Configure your IdP
Refer to your IdP for general SAML 2.0 configuration instructions. Pantheon supplies the string you must use in place of Pantheon-SSO-Connection-Name in the examples below.
You must enter the following:
Single sign-on URL:
https://pantheon.auth0.com/login/callback?connection=Pantheon-SSO-Connection-Name- Note that the single sign-on URL is case sensitive.
Audience URI (SP Entity ID):
urn:auth0:pantheon:Pantheon-SSO-Connection-NameAdd an Attribute Statement to map
mailtoemail. If using Okta, map the attributesmailtouser.emailanduser_nametouser.email.Additional configuration details:
- The post-back URL (also called Assertion Consumer Service URL) is:
https://pantheon.auth0.com/login/callback - The SAML Request Binding (sent to the IdP from Auth0):
HTTP-Redirect - The SAML Response Binding (how the SAML token is received by Auth0 from IdP):
HTTP-Post - The NameID format:
unspecified - The
user_idattribute must be configured to be sent manually. If this value is not already present, it should be set to match theemailattribute. - The SAML assertion, and the SAML response can be individually or simultaneously signed.
- Optional: Assertions can be encrypted with the following keys: CER | PEM | PKCS#7
- The post-back URL (also called Assertion Consumer Service URL) is:
Azure IdP Configuration
Azure configuration requires several modifications from the general instructions in the above section.
Complete the Pantheon-specific steps in Azure's documentation to Configure Azure AD SSO.
Confirm that you make all required edits to correctly map custom attributes, including:
Identifier text box:
urn:auth0:pantheon:Pantheon-SSO-Connection-NameReply URL text box:
https://pantheon.auth0.com/login/callback?connection=Pantheon-SSO-Connection-NameSingle sign-on URL:
Leave Blank
Enable SAML on Pantheon
Contact support and provide the following:
Email Domain(s): The email domain(s) your organization controls. Only users with email addresses in this domain will use the Organization's IdP.
Single Sign-on URL: The URL of your IdP that we will redirect to for authentication.
Certificate: The X.509 certificate used to validate incoming SAML requests. Please share this via https://gist.github.com/
Date/time to enable: A time you'd like Pantheon to enable SSO, when you can test and ensure everything works.
Troubleshooting
Cannot Authenticate with Username/Password When Creating a New Machine Token
If you are a member of a SAML-enabled organization, and the password field does not disappear after you enter your username and password, you'll need to log out of your active session, log back in, and try again. This can occur if you have two accounts with different email addresses and have not logged out of an active session.
Cannot Log in Using a Google Account
Google account login is disabled for users in organizations using single sign-on. SAML allows organizations to centrally manage authentication policies, so allowing social login could circumvent that policy.
Use Base-64 encoded X.509(.CER) when using Microsoft Active Directory Federation Services (AD FS) as an IdP
Make sure you generate the certificate using the correct encoding.
Use token-signing certificate when using Microsoft AD FS as an IdP
There are three types of certificates that you can generate:
communication-servicetoken-decryptingtoken-signing
Use a token-signing certificate, otherwise you will get a thumbprint error.
Update email address
Due to the way enterprise connections are configured, it is not possible to change the email address for your account via Pantheon. Instead, you will need to contact the administrator of your company’s single sign on service - they can either update your email address or add an additional email address to your user account.
Once updated, Pantheon will recognize the new email address at login and connect you to the correct user account based on alias metadata passed by your IdP.
You will not see a change to the email address on Pantheon. However, the login experience will continue to work normally without disruption.