Single Sign-On (SSO)
Introduction
Product-Live supports Single Sign-On (SSO) to enhance the security of your account. By connecting Product-Live to your company's Identity Provider (IdP), you ensure that any user removed from your Active Directory (AD) will no longer be able to access Product-Live.
Product-Live supports the following authentication protocols:
| Protocol | Description |
|---|---|
| OpenID Connect | A modern authentication layer built on top of OAuth 2.0. |
| SAML v2 | A widely adopted XML-based standard for exchanging authentication data. |
Info
Setting up SSO requires the intervention of our Professional Services team. Please contact your Product-Live representative to get started.
How it works
Identity matching
SSO in Product-Live relies on a single uniqueness link: the email address. The email registered in Product-Live must match the email present in your Active Directory. No other attribute is required.
Logout behavior
When a user is removed from your Active Directory, they are not immediately logged out of Product-Live. Instead, access is denied at the next login attempt. There is no forced logout or notification sent to the user.
Suppliers and external users
Suppliers or external collaborators who are not part of your Active Directory can continue to authenticate using their regular login/password and/or Multi-Factor Authentication (MFA). SSO enforcement only applies to users whose identity is managed through your AD.
What is managed in Product-Live
Even with SSO enabled, several aspects of user and access management remain within Product-Live:
| Area | Managed in Product-Live | Managed via SSO |
|---|---|---|
| License provisioning (creation, revocation) | Yes | No |
| User groups | Yes | No |
| Permissions and roles (referencing, enrichment, admin, etc.) | Yes | No |
| Authentication (login) | — | Yes |
Important
User groups and roles are not synchronized through SSO. All permissions and team assignments must be configured directly in Product-Live, as described in the Users management and Permissions guides.
License provisioning
When a user is removed from your Active Directory but still holds a license in Product-Live, the license is not automatically revoked. An administrator must manually update the user's status in Product-Live to free up the license. Refer to the Users management guide for more details on user statuses.
Setting up SSO
SSO configuration is handled by the Product-Live Professional Services team. To initiate the setup, please contact your Product-Live representative.
During the setup process, your IT team will need to:
- Provide access to your Identity Provider configuration
- Ensure that user email addresses in your AD match those registered in Product-Live
- Choose between OpenID Connect or SAML v2 as the authentication protocol
FAQ
Does SSO replace the need to manage users in Product-Live?
No. SSO handles authentication only (verifying who the user is). License provisioning, user groups, permissions, and roles are still managed in Product-Live.
What happens to suppliers who are not in our Active Directory?
Suppliers and external users continue to log in with their email and password, with optional MFA. SSO does not affect their access.
Is a user immediately locked out when removed from the Active Directory?
No. The user will be denied access at their next login attempt. If they are currently logged in, their session will continue until it expires or they log out.
Can we manage user roles and groups through SSO?
No. User groups and role assignments are managed exclusively within Product-Live. SSO is limited to the authentication step.
Which Identity Providers are supported?
Product-Live is compatible with any Identity Provider that supports OpenID Connect or SAML v2. This includes, but is not limited to:
| Identity Provider | Supported |
|---|---|
| Microsoft Entra ID (formerly Azure AD) | Yes |
| Okta | Yes |
| Auth0 | Yes |
| Google Workspace | Yes |
| Ping Identity | Yes |
| OneLogin | Yes |
If your Identity Provider is not listed above and supports OpenID Connect or SAML v2, it is very likely compatible. Contact our Professional Services team to confirm.
How do I revoke a license for a user removed from the AD?
You must manually change the user's status in Product-Live (e.g., to Suspended or Archived). See the Users management guide for details.