Where can I get LoginSaml?

LoginSaml is a plugin for Matomo and is available for purchase on the Matomo Marketplace as a yearly subscription. While the subscription is active you will receive all updates for this plugin. The Users Flow plugin is released under the InnoCraft EULA.

You can also get it for free as a hosted solution on our Matomo Analytics (formerly Piwik Analytics) Cloud.

What does LoginSaml do?

If you have a federated environment with a SAML Identity Provider (OneLogin, Okta, Ping Identity, ADFS, Google, Salesforce, SharePoint…), you can use this plugin to interoperate with it, thereby enabling SSO for your piwik users as well as support just-in-time provisioning. Login SAML offers advanced functionality such as just-in-time provisioning, so that your users can get their own account automatically created with the right permission in Matomo Analytics (formerly Piwik Analytics).

Why is SSO important?

SSO offers many benefits. It can ensure consistent access control across the enterprise and external providers, potentially reducing support costs related to authentication / accounts management.

What SAML offers:

  • Usability – One-click access from portals or intranets, deep linking, password elimination and automatically renewing sessions makes life easier for the user.
  • Security – Based on strong digital signatures for authentication and integrity, SAML is a secure single sign-on protocol that the largest and most security conscious enterprises in the world rely on.
  • Speed – SAML is fast. One browser redirect is all it takes to securely sign a user into an application.
  • Phishing Prevention – If you don’t have a password for an app, you can’t be tricked into entering it on a fake login page.
  • IT Friendly – SAML simplifies life for IT because it centralizes authentication, provides greater visibility and makes directory integration easier.

Where do I get more information about this plugin?

It is recommended to visit the LoginSaml plugin page on the Matomo (Piwik) Marketplace as a starting point. There is also our LoginSaml guide. If you need help visit Support for SAML plugin configuration.

The plugin is developed and maintained by InnoCraft, the company from the makers of Matomo. At InnoCraft, passionate product designers and engineers build and maintain the free and open source project Matomo. This ensures the highest quality and compatibility of all their plugins.

Which Matomo version is required for this plugin?

You need at least Matomo (Piwik) 3 or newer. You can also signup to our Matomo Cloud (formerly Piwik Cloud) service.

What happens with the normal login when I enable SAML SSO?

The SSO login is added in addition to the normal login flow.

Accounts generated using SSO (just-in-time provisioning) have no password so login always by SSO will be required if no password is set.

Accounts generated using the normal registration process will be able to use normal login or SSO login.

How do I solve the issue “Invalid array settings sp_certs_not_found_and_required”?

When you’re configuring SAML for Matomo, you may get the following error: Invalid array settings sp_certs_not_found_and_required. This means that you have enabled the signature features (which requires SP public certificate/ private key) but they were not provided in the SAML settings “Advanced” section. You can see our guide for the Advanced section here. If your administrator doesn’t have a public cert /private key to be used and doesn’t want to purchasing one, you can use self-signed certificate (free). In order to generate self-signed certificate can use for example this tool.

How is the user account of the Identity Provider linked with a Matomo account?

On the settings of the SamlLogin plugin the admin will be able to decide if use the login (username) or the email in order to identify piwik accounts with the data provided by the Identity Provider.

What happens if I need help configuring the plugin?

We understand that SAML is a complex SSO standard and no many people are familiarized with SAML terms.

We offer a guide that explain how the plugin works and how to configure it, in addition to specific guides that explain the steps to connect with the main Identity Provider vendors.

If you need help with your configuration, contact InnoCraft and we will agree the terms of the support service.

How do I fix the issue with X509 certificate not being included in the SAMLRequest?

When your X509 certificate configured in the SAML Plugin settings is not being included in the SAMLRequest, follow the steps below.

To sign the AuthNRequest sent by Matomo, you have to activate the “Sign AuthNRequest” option in “Advanced SAML Settings”. You also need to supply 1) SP Public X509cert and 2) SP private key. It is possible to use self-signed Certs. Create Self-Signed Certs on samltool.com.

Once the above steps are completed, AuthNRequest sent by Matomo will be signed (you will be able to find a signature GET parameter, if you are using HTTP redirect binding).

Note: You will need to register the SP Public x509 cert on the IdP side, in order to allow it to verify the Signature.