Check out our Resources section: Read through our eBooks, compare us to other solutions, and learn how customers are using pganalyze. See all resources.

Single Sign-On

Single Sign-On (or SSO) enables management of user access to your organization through a third-party identity provider.

pganalyze integrates with providers such as Okta and Azure AD using SAML 2.0. This feature is only available on the Scale Plan and higher.

Provider integration

Before continuing with setup, please reach out to pganalyze Support to enable the SSO feature for your organization.

If you integrate with Okta, you can follow the Okta integration steps.

For all other providers, you can follow the Custom SAML 2.0 integration steps.

Default membership

Users that authenticate through SSO for the first time will receive the standard "View & Modify (All Servers)" permission in your organization. You currently cannot change this default, but you can assign new roles after the user has signed in successfully for the first time.

Migrating to Single Sign-On

Once you have enabled Single Sign-On, in order to authenticate to pganalyze with SSO, users must sign in through your SSO provider portal, not through pganalyze itself. You currently cannot turn off username/password authentication for your whole organization. Instead, you can remove all non-SSO users from the organization. Members utilizing Single Sign-On can be identified on the Members settings page by the Single Sign-On Required? column:

Screenshot of pganalyze Members page indicating the Single Sign-On Required column for each member

Any existing username/password users you remove like this must then sign in through pganalyze directly using their old credentials, go to the user settings page by clicking on their name in the lower left, and change their e-mail in pganalyze to something different than the e-mail address they will use for SSO. Otherwise, when they try to log in through SSO, they will receive the error "Email has already been taken" due to the conflict with the separate username/password user. The user can also request their old, non-SSO, user account to be deleted by contacting pganalyze Support.

Removing user accounts

If a user has left your organization, and you have removed them from your identity provider, they will continue to show as a member in pganalyze, even though they can no longer sign in. You can remove the members in pganalyze by going to the Members settings page.

We plan to support System for Cross-Domain Identity Management (SCIM) in the future to help with automated ahead of time provisioning and deprovisioning of user accounts.

Turning off Single Sign-On

If you'd like to register a different SAML Identity Provider (IdP), or turn off SSO, you can reset the SSO integration. This requires being logged in as a username/password based user with the manage permission. You can then click the "Reset integration" button on the Integrations settings page:

Screenshot of pganalyze SAML integration with Reset Integration button

Resetting the integration will remove all organization members that are linked with the IdP.

All linked permissions and other per-user customizations will be lost with the reset.


Couldn't find what you were looking for or want to talk about something specific?
Start a conversation with us →