What happens with normal login when SAML or LDAP enabled?
When LDAP or SAML authentication is enabled, users can sign in using their organisation’s identity system instead of relying solely on local Matomo credentials.
The behaviour of the standard Matomo login form depends on which authentication method is configured and how user accounts were created.
SAML authentication
When SAML is enabled, users may be redirected to the SAML Identity Provider (IdP) login page. However, the standard Matomo login form can still be accessed using the ?normal parameter.
https://your-matomo.example.com/index.php?module=Login&action=login&normal
The ?normal parameter does not bypass SAML authentication. It only displays the standard Matomo login form for users who have local Matomo credentials.
When to use the standard Matomo login form
With SAML authentication, the standard Matomo login form is commonly used for:
- Superuser recovery access.
- API token management workflows requiring password confirmation.
- Administrative access when the SAML or LDAP service is unavailable.
- Local service or emergency accounts.
Accounts created directly in Matomo with a local username and password can typically use both the normal Matomo login and the SAML SSO login.
Users created through SAML
Accounts automatically created through SAML Just-In-Time (JIT) provisioning do not have a local Matomo password by default.
In LoginSAML 5.5.0 and later, users can reauthenticate through their SAML Identity Provider instead of requiring a local Matomo password. If local login is required, a superuser can configure or reset a local Matomo password for the account.
LDAP authentication
When LDAP authentication is enabled, users typically continue using the standard Matomo login form. However, instead of validating passwords locally, Matomo authenticates the user’s credentials against the configured LDAP directory or Active Directory service.
Unlike SAML, LDAP authentication does not usually redirect users to a separate Identity Provider login page. The ?normal parameter is not required for LDAP login workflows as users can authenticate through the standard login form using their LDAP credentials.
In some environments, LDAP users are synchronised into Matomo only after their first successful login or after directory synchronisation.
Security considerations
Before enabling local Matomo login alongside LDAP or SAML authentication, ensure it aligns with your organisation’s security policies. Some organisations intentionally restrict or avoid local password authentication to enforce centralised identity management through LDAP or SAML.
If the local Matomo login remains enabled:
- review which users have local Matomo passwords.
- limit local superuser accounts.
- regularly audit unused local accounts.
- enforce strong password policies.
- review API token ownership and access regularly.
The availability of the standard Matomo login form depends on your authentication configuration and whether users have local Matomo credentials.
For information about API tokens, password confirmation, and authentication workflows, see the guide on Using API tokens with LDAP or SAML authentication.