Back to blog

Piwik SSO and 7 Steps to Enterprise-Level Security and Permission Management

Analytics Data privacy & security

Written by

Published September 29, 2015 · Updated March 17, 2021

Piwik SSO and 7 Steps to Enterprise-Level Security and Permission Management

New software usually promises more efficiency in business processes. However, as the number of tools and apps grows, system users and administrators are confronted with an increasingly complicated interface to accomplish their day-to-day work assignments.


Luckily, an SSO – single sign-on – can simplify the process of authentication and authorization. This control access property is also well supported in Piwik PRO owing to LDAP. In this blog post we will focus on the SSO’s potential and discuss seven main steps to unlock and enhance Piwik PRO PRO’s security and performance in enterprise-level environments.


The Enterprise Challenge

Enterprise systems are increasingly assembled from related, but independent software components with individual operating systems and applications. Users typically have to sign-on multiple systems, each time with a different set of usernames and authentication information, whereas administrators are faced with managing numerous accounts within each of the multiple systems.

How Can SSO Help?

Single sign on software allows users to access all computers and applications to which they have permission without being asked to enter their ID and password numerous times. For instance, a user logs in once, getting access to several low-risk applications. When the same user tries to access higher-risk information, such as payroll, the SSO software may require a stronger form of authentication, such as digital certificates or security tokens.

Benefits of SSO

There are several reasons why SSO can be a good choice. It reduces the hassle of keeping track of numerous ID and password combinations, also saving time a user would spend re-entering credentials for the same identity. Fewer passwords are also good for IT support teams, as it lowers the number of help-desk calls about lost login details.

Evaluate Your Web Analytics Solution Towards GDPR In 12 Steps

Find out if your analytics solution guarantees data accuracy and privacy, including GDPR compliance:

Download FREE Guide

How Does SSO Work?

How a single sign on system works in detail will depend on its implementation, and there are several software options available, both free/libre and/or open source (e.g. Shibboleth, Persona, JOSS), as well as proprietary (Athens, CA Single Sign-On, Facebook Connect). In general, SSO relies on a centralised authentication server that all applications and systems use for authentication purposes so users do not have to actively enter their credentials more than once.

This is routinely accomplished using the Lightweight Directory Access Protocol (LDAP) and LDAP databases stored on servers. Open and vendor-neutral, LDAP is an application protocol for accessing and maintaining distributed directory-information services over an Internet Protocol (IP) network, allowing to share information about users, systems, and apps. The LDAP directories are also efficient in high-performance lookups and when addressing high volumes of traffic.

For example, when a user enters their login details, this information gets sent by the SSO software to the security server, which in turn logs on to the LDAP server on behalf of the user. A successful login means that the security server can then proceed with any authorisation, subsequently letting the user access applications or assets they require.

How SSO works

7 Steps to Enterprise-Level Security and Permission Management in Piwik PRO

Piwik PRO analytics can be successfully incorporated into enterprise structures built on a diversity of single sign on implementations. The Piwik PRO Team has helped several corporations and governments implement analytics solutions using out-of-the-box Piwik PRO with a combination of free and custom-developed plugins.

5 (1)
Here we offer you a general overview of possible solutions supporting full integration of Piwik PRO SSO with different enterprise systems, enhancing its security, as well as improving management of user permissions.

    1. Piwik PRO SSO capabilities can be achieved when using this analytics platform directly with enterprise systems that utilize LDAP in general or deploying solutions, such as Shibboleth, Airlock IAM (formerly Medusa), CA Single Sign-on (formerly Siteminder), MS Active Directory, and many others.

    1. Piwik PRO can also provide different options to authenticate. Among other plugins available, one should pay attention to Password Policy which provides one another level of protection.

    1. Another option could be to implement HTTP Basic authentication with the LoginHttpAuth plugin that makes login to Piwik PRO possible using HTTP Auth protocol. This plugin is also available on the Piwik PRO Marketplace.

    1. Piwik PRO should soon welcome another plugin helping to achieve Piwik PRO SSO authentication. LoginSamlSSO allows users to log in to Piwik PRO using SAML IdP. It will be published in the coming weeks, but the release candidate is already freely available from Github – for more details please follow this link.

    1. There are also premium features which may be useful when managing large Piwik PRO analytics instances forming a part of enterprise systems. Owing to the premium User Groups plugin the process of assigning access and admin permissions can be significantly simplified and accelerated, thus making it a valuable option for organisations with a large number of users and websites. With this plugin, assignment and management of user permissions can take place at group level. Once the status of a user changes in the central system of SSO, their roles and privileges are automatically adjusted in Piwik PRO.

  1. Another premium feature useful in data-sensitive enterprise environments is The Password Policy feature, especially recommended for large financial, health, or governmental institutions. It enables easier password-policy enforcement and setup that matches existing practices of an organization. The Password Policy feature automatically prompts platform users to change their login details on a regular basis and set more complex passwords. Moreover, users with the Super Admin privilege can see information about users who haven’t updated their password or logged in for some time.

Evaluate Your Web Analytics Solution Towards GDPR In 12 Steps

Find out if your analytics solution guarantees data accuracy and privacy, including GDPR compliance:

Download FREE Guide


Ewa Bałazińska

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free

 12 Simple Steps To Make Your Web Analytics Efficient & GDPR Compliant
Upcoming live webinar

May 26, 2022

Life after Universal Analytics: What makes Piwik PRO a better alternative than Google Analytics 4

In July 2023 Google Universal Analytics, known as Google Analytics 3, will become history. Companies need to decide what to do next – switch to the controversial Google Analytics 4 or consider other options. Find out why Piwik PRO Analytics Suite might be a great alternative to Google products. Learn how to easily migrate your analytics to a privacy-friendly EU-based platform. Get all your questions answered during a Q&A session.

Sign up for this webinar