Who can use this feature?
Single sign-on (SSO) is available to teams on the Enterprise plan (see the Administration & Security section of our Pricing page for additional detail or to upgrade your plan).
Setup guides for specific providers
Using one of the providers listed below? Select one of the following setup guides for additional details on setting up single sign-on with Azure AD, G Suite, Okta or OneLogin.
General steps for other providers
Find your public certificate
Your X.509 certificate allows users to sign in through a third-party identity provider and be authenticated by Mixpanel without supplying a username and password. Each identity provider account has a unique X.509 certificate that will need to be uploaded to Mixpanel during the single sign-on setup process.
Find your authentication URL
Each IDP has an authentication URL that will redirect users to the IDP SSO portal when they try to login to Mixpanel.
Only project owners have access to set up SSO; the following settings will not be visible to project members.
- Upload the x.509 certificate from the IDP to your project by clicking Project settings → Access security → Set up SSO. The prompt to upload your certificate will appear after you enter you password.
- Paste the IDP authentication URL in the "Access security" menu in the “Postback URL” field. At this point, trying to login to Mixpanel from our login page with your email address (assuming it has a created account associated with it) should redirect you to your IDP login portal.
- The SAML response from the IDP must use the email address of the user tied to their created Mixpanel account as the NameID in the assertion:
q4xCWq9rodxkC/7tJHPJwMCx7qw=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">firstname.lastname@example.org</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_0775952b98764896829e6c359e7416f3" NotOnOrAfter="2017-07-18T18:11:37.188Z" Recipient="https://mixpanel.com/security/sso/login/3429/"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-07-18T18:01:37.188Z" NotOnOrAfter="2017-07-18T18:11:37.188Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AudienceRestriction><saml2:Audience>https://mixpanel.com/security/sso/login/3429/</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-07-18T18:06:37.188Z" SessionIndex="_0775952b98764896829e6c359e7416f3" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
- Users with Mixpanel accounts who are members of the SSO enabled project must be provisioned app access by the IDP IT Admin. At this point, they should be able to authenticate and get access to the SSO enabled project.
- Any new users who are to be provisioned app access will need to create their own Mixpanel account.