From 432e97af3073080d9df5598b7f47995193fcb67d Mon Sep 17 00:00:00 2001 From: Leonardo Fratini Date: Fri, 26 Sep 2025 16:45:34 +0200 Subject: [PATCH 1/6] Create google.md --- .../access-security/single-sign-on/google.md | 161 ++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 pages/docs/access-security/single-sign-on/google.md diff --git a/pages/docs/access-security/single-sign-on/google.md b/pages/docs/access-security/single-sign-on/google.md new file mode 100644 index 0000000000..043cf65504 --- /dev/null +++ b/pages/docs/access-security/single-sign-on/google.md @@ -0,0 +1,161 @@ +# Setup Google Workspace SSO + + +## Overview + +Before using this document, read the [general Mixpanel SSO set-up instructions](/docs/access-security/single-sign-on). + +You have two setup options in order to use Single Sign-On (SSO) for Mixpanel through Google Workspace IDP: + +A. For most use cases, you can use the **Mixpanel app** within Google Workspace app store + +B. If you have a more custom setup, follow Google Workspace's documentation on setting up a new application to create a custom Mixpanel app. + +### Configure SSO in Mixpanel + +Follow the [general SSO set-up instructions](/docs/access-security/single-sign-on). + +Make sure to collect your postback URL and successfully claim your domain. + +### Configure the Mixpanel App in Google Workspace + +A. Use the [Mixpanel app within Google Workspace's app store](https://admin.google.com/ac/apps/unified), or + +B. Follow [Google Workspace's documentation on setting up a new application](https://support.google.com/a/answer/6087519?hl=en) to create a custom Mixpanel app. + +#### Configure SAML + +A. If you use the Mixpanel app from the store, the following SAML configuration is already built into the app. + +B. If you create a custom app, you must fill the form found in the **Configure SAML** menu in Google Workspace. Make sure that the following fields are adjusted to exactly match the corresponding values: + +- **Single sign on URL:** Postback URL from Mixpanel (https://mixpanel.com/security/sso/v2/authorize/?org_id=YOUR_ORG_ID) +- **Requestable SSO URLs:** https://sso.mixpanel.com/sso/saml2 +- **Recipient URL:** https://sso.mixpanel.com/sso/saml2 +- **Destination URL:** https://sso.mixpanel.com/sso/saml2 +- **Audience URI:** https://mixpanel.com/security/sso/v2/authorize/ + +The following screenshot highlights what you should place in the fields: + +![Google Workspace Config SAML 1 Image](/Google Workspace_config_1.png) + +To add the Requestable SSO URLs field, navigate to Advanced Settings: + +![Google Workspace Config SAML 2 Image](/Google Workspace_config_2.png) + +Additionally, it is required that you use `email` as an attribute statement, other attributes we recommend include `firstName` and `lastName`. + +| Name | Value | +| ------------: | --------: | +| Primary email | email | +| First Name | firstName | +| Last Name | lastName | + +![Google Workspace Config SAML 2 Image](/Google Workspace_config_3.png) + +### Obtain Information From Google Workspace + +In order to configure Mixpanel use with Google Workspace, you must first obtain your **Public Certificate**, **Authentication URL**, and **Issuer URL**. + +To access this information, first select the select the Mixpanel app under the **Applications** tab in Google Workspace. Click on the **Sign On** tab. + +In the right **About** column under the **SAML Setup** section, click **View SAML setup instructions**. + +![Google Workspace Info 1 Image](/Admin/Google Workspace/Google Workspace_saml_setup_instructions_fixed.png) + +#### Public Certificate + +The X.509 certificate allows users signing in through a third-party identity provider to be authenticated by Mixpanel without supplying a username and password. Each identity provider account has a unique X.509 certificate that will need to be uploaded to Mixpanel during the SSO setup process. + +Click **Download Certificate** in the second entry to download your certificate. + +![Google Workspace Info 2 Image](/Google Workspace_info2.png) + +You can also find the Public Certificate in the **Sign On** tab of the **Mixpanel** app. Scroll down to the **SAML Signing Certificates** section. Click **Actions** for the SHA-2 certificate and **Download certificate**. + +![Google Workspace Certificate Download Image](/Admin/Google Workspace/Google Workspace_download_certificate.png) + +If you Public Certificate is expired or compromised, click **Generate new certificate** to generate a new certificate to upload in Mixpanel. + +#### Authentication URL + +Your Authentication URL is in the third entry labeled **Redirect Login URL**. + +![Google Workspace Info 3 Image](/Google Workspace_info3.png) + +#### Issuer URL + +You will find your Issuer URL in the third entry labeled **Identity Provider Issuer**. + +![Google Workspace Info 4 Image](/Google Workspace_info4.png) + +### Enable SSO + +From Mixpanel, navigate to your **Organization Settings** and then the **Access Security** tab. From the **2FA & SSO** menu, insert your **Public Certificate**, **Authentication URL**, and **Issuer URL**. + +Optionally toggle **Require Single Sign-On** to prevent your users from logging in with a username and password. Organization Owners and Admins will still be able to log in using username and password in case SSO is not set up correctly. + +### Configuring SCIM Provisioning + +SCIM provisioning uses [the Mixpanel app within the OIN (Google Workspace's app store)](https://www.Google Workspace.com/integrations/mixpanel/). + +The following prerequisites must be met to set up SCIM provisioning: + +- You must have an active Enterprise plan subscription with Mixpanel. +- You must have Google Workspace SSO set up with Mixpanel. +- The `Username` value in Google Workspace must be an email address with a domain that you've claimed. +- You need to have generated a SCIM OAuth token to use with the app. This token is located in **SCIM** menu of the **Access Security** tab in your Organization Settings. You will need to be an Organization Owner or Admin to access this. + +![Google Workspace SCIM 1 Image](/Admin/Google Workspace/sso_scim_token_updated_2024.png) + +The following provisioning features are supported: + +- **Push New Users:** New users created through Google Workspace and assigned to the application will be created in Mixpanel. +- **Push Profile Updates:** Updates made to the assigned user's supported profile attributes (First Name, Last Name, Email) through Google Workspace will be pushed to Mixpanel. +- **Push User Deactivation:** Deactivating the user or removing the user from the application through Google Workspace will deactivate the user in Mixpanel (or delete the account if specified). +- **Reactivate Users:** Reassigning a previously unassigned user to the application will reactivate the user's account in Mixpanel. + +Please note the following when provisioning users from Google Workspace to Mixpanel with SCIM: + +- New users provisioned from Google Workspace will be automatically added as an Organization Member. +- You will need to provision other [Organization Roles](https://docs.mixpanel.com/docs/orgs-and-projects/roles-and-permissions#organization-roles) to users within the Mixpanel product. +- You will not be able to set the user's Organization Role and Project access within Google Workspace. + +You can also provision Groups of users in Google Workspace to Mixpanel [Teams](/docs/orgs-and-projects/roles-and-permissions#teams) with SCIM. + +- Use the same name for the Group in Google Workspace as the Team in Mixpanel. +- In the Mixpanel Team, set the Organization Role and access to projects for the group of users. +- You will not be able to provision Organization Role and Project access for the Group within Google Workspace. + +Note that it is advised you turn on **IDP Managed Access** if you are using SCIM Provisioning. Otherwise, Google Workspace and Mixpanel might fall out of sync. + +#### Configuration Setup + +1. Click the **Configure API Integration** button in Google Workspace to begin. + +![Google Workspace SCIM 2 Image](/Google Workspace_scim2.png) + +2. Check the **Enable API Integration** box, then enter your SCIM token. + +Select the supported features (Create / Update / Deactivate) you wish to enable: + +![Google Workspace SCIM 3 Image](/Google Workspace_scim3.png) + +3. The following profile attributes are required to be sent from Google Workspace to Mixpanel: + +- Username +- Given name +- Family name +- Primary email + +![Google Workspace SCIM 4 Image](/Google Workspace_scim4.png) + +4. Select and assign the users you wish to provision: + +![Google Workspace SCIM 5 Image](/Google Workspace_scim5.png) + +#### Troubleshooting + +1. If a Mixpanel account has already been created with the Google Workspace user's email (their Google Workspace Username) and that account is **not a member** of your Mixpanel organization, provisioning setup for that Google Workspace user will fail. To resolve this, manually invite the existing user to your organization. + +2. Provisioning will also fail if the domain of the user's email has not been claimed by your organization. To resolve this, manually invite the existing user to your organization. From 417e1674a758a47344f893ebfdee73edf2ac07c7 Mon Sep 17 00:00:00 2001 From: Leonardo Fratini Date: Mon, 29 Sep 2025 16:50:16 +0200 Subject: [PATCH 2/6] updated google.md added info relevant to Google IDP --- .../access-security/single-sign-on/google.md | 120 ++---------------- 1 file changed, 11 insertions(+), 109 deletions(-) diff --git a/pages/docs/access-security/single-sign-on/google.md b/pages/docs/access-security/single-sign-on/google.md index 043cf65504..f8ce38eef4 100644 --- a/pages/docs/access-security/single-sign-on/google.md +++ b/pages/docs/access-security/single-sign-on/google.md @@ -26,134 +26,36 @@ B. Follow [Google Workspace's documentation on setting up a new application](ht #### Configure SAML A. If you use the Mixpanel app from the store, the following SAML configuration is already built into the app. +![CleanShot 2025-09-16 at 11.08.34](/Users/leonardo.fratini/Library/Application Support/CleanShot/media/media_MQGkDvuFTS/CleanShot 2025-09-16 at 11.08.34.jpg) B. If you create a custom app, you must fill the form found in the **Configure SAML** menu in Google Workspace. Make sure that the following fields are adjusted to exactly match the corresponding values: -- **Single sign on URL:** Postback URL from Mixpanel (https://mixpanel.com/security/sso/v2/authorize/?org_id=YOUR_ORG_ID) -- **Requestable SSO URLs:** https://sso.mixpanel.com/sso/saml2 -- **Recipient URL:** https://sso.mixpanel.com/sso/saml2 -- **Destination URL:** https://sso.mixpanel.com/sso/saml2 -- **Audience URI:** https://mixpanel.com/security/sso/v2/authorize/ +- **ACS URL:** https://sso.mixpanel.com/sso/saml2 +- **Entity ID:** https://mixpanel.com/security/sso/v2/authorize/ +- **Start URL:** https://mixpanel.com/security/sso/v2/authorize/?org_id=YOUR_ORG_ID The following screenshot highlights what you should place in the fields: -![Google Workspace Config SAML 1 Image](/Google Workspace_config_1.png) - -To add the Requestable SSO URLs field, navigate to Advanced Settings: - -![Google Workspace Config SAML 2 Image](/Google Workspace_config_2.png) +![CleanShot 2025-09-29 at 16.30.49](/Users/leonardo.fratini/Library/Application Support/CleanShot/media/media_V4Fjk2TRhv/CleanShot 2025-09-29 at 16.30.49.jpg) Additionally, it is required that you use `email` as an attribute statement, other attributes we recommend include `firstName` and `lastName`. -| Name | Value | -| ------------: | --------: | -| Primary email | email | -| First Name | firstName | -| Last Name | lastName | - -![Google Workspace Config SAML 2 Image](/Google Workspace_config_3.png) +![CleanShot 2025-09-16 at 11.13.30](/Users/leonardo.fratini/Pictures/screenshots/CleanShot 2025-09-16 at 11.13.30.jpg) ### Obtain Information From Google Workspace -In order to configure Mixpanel use with Google Workspace, you must first obtain your **Public Certificate**, **Authentication URL**, and **Issuer URL**. - -To access this information, first select the select the Mixpanel app under the **Applications** tab in Google Workspace. Click on the **Sign On** tab. - -In the right **About** column under the **SAML Setup** section, click **View SAML setup instructions**. - -![Google Workspace Info 1 Image](/Admin/Google Workspace/Google Workspace_saml_setup_instructions_fixed.png) - -#### Public Certificate - -The X.509 certificate allows users signing in through a third-party identity provider to be authenticated by Mixpanel without supplying a username and password. Each identity provider account has a unique X.509 certificate that will need to be uploaded to Mixpanel during the SSO setup process. - -Click **Download Certificate** in the second entry to download your certificate. - -![Google Workspace Info 2 Image](/Google Workspace_info2.png) - -You can also find the Public Certificate in the **Sign On** tab of the **Mixpanel** app. Scroll down to the **SAML Signing Certificates** section. Click **Actions** for the SHA-2 certificate and **Download certificate**. +In order to configure Mixpanel use with Google Workspace, you must first obtain your **Public Certificate**, **SSO URL**, and **Entity ID**. -![Google Workspace Certificate Download Image](/Admin/Google Workspace/Google Workspace_download_certificate.png) - -If you Public Certificate is expired or compromised, click **Generate new certificate** to generate a new certificate to upload in Mixpanel. - -#### Authentication URL - -Your Authentication URL is in the third entry labeled **Redirect Login URL**. - -![Google Workspace Info 3 Image](/Google Workspace_info3.png) - -#### Issuer URL - -You will find your Issuer URL in the third entry labeled **Identity Provider Issuer**. - -![Google Workspace Info 4 Image](/Google Workspace_info4.png) +To access this information, access the Mixpanel app in Google Workspace (or create a custom app) first select **DOWNLOAD METADATA**. Then, grab the **SSO URL** and **Entity ID** as well as the certificate to upload in Mixpanel (we recommend adding the expiration date to the file name to make it easier to manage in Mixpanel). +![CleanShot X 2025-09-29 16.41.42](/Users/leonardo.fratini/Library/Application Support/CleanShot/media/media_D1Qaajbj83/CleanShot X 2025-09-29 16.41.42.png) ### Enable SSO -From Mixpanel, navigate to your **Organization Settings** and then the **Access Security** tab. From the **2FA & SSO** menu, insert your **Public Certificate**, **Authentication URL**, and **Issuer URL**. +From Mixpanel, navigate to your **Organization Settings** and then the **Access Security** tab. From the **2FA & SSO** menu, upload your **Public Certificate** and add your **SSO URL** and **Entity ID** to the **Identity Provider Sign-In URL** and **Issuer URL**, respectively. +![CleanShot 2025-09-29 at 16.45.33](/Users/leonardo.fratini/Library/Application Support/CleanShot/media/media_1YIbDnb7hQ/CleanShot 2025-09-29 at 16.45.33.jpg) Optionally toggle **Require Single Sign-On** to prevent your users from logging in with a username and password. Organization Owners and Admins will still be able to log in using username and password in case SSO is not set up correctly. -### Configuring SCIM Provisioning - -SCIM provisioning uses [the Mixpanel app within the OIN (Google Workspace's app store)](https://www.Google Workspace.com/integrations/mixpanel/). - -The following prerequisites must be met to set up SCIM provisioning: - -- You must have an active Enterprise plan subscription with Mixpanel. -- You must have Google Workspace SSO set up with Mixpanel. -- The `Username` value in Google Workspace must be an email address with a domain that you've claimed. -- You need to have generated a SCIM OAuth token to use with the app. This token is located in **SCIM** menu of the **Access Security** tab in your Organization Settings. You will need to be an Organization Owner or Admin to access this. - -![Google Workspace SCIM 1 Image](/Admin/Google Workspace/sso_scim_token_updated_2024.png) - -The following provisioning features are supported: - -- **Push New Users:** New users created through Google Workspace and assigned to the application will be created in Mixpanel. -- **Push Profile Updates:** Updates made to the assigned user's supported profile attributes (First Name, Last Name, Email) through Google Workspace will be pushed to Mixpanel. -- **Push User Deactivation:** Deactivating the user or removing the user from the application through Google Workspace will deactivate the user in Mixpanel (or delete the account if specified). -- **Reactivate Users:** Reassigning a previously unassigned user to the application will reactivate the user's account in Mixpanel. - -Please note the following when provisioning users from Google Workspace to Mixpanel with SCIM: - -- New users provisioned from Google Workspace will be automatically added as an Organization Member. -- You will need to provision other [Organization Roles](https://docs.mixpanel.com/docs/orgs-and-projects/roles-and-permissions#organization-roles) to users within the Mixpanel product. -- You will not be able to set the user's Organization Role and Project access within Google Workspace. - -You can also provision Groups of users in Google Workspace to Mixpanel [Teams](/docs/orgs-and-projects/roles-and-permissions#teams) with SCIM. - -- Use the same name for the Group in Google Workspace as the Team in Mixpanel. -- In the Mixpanel Team, set the Organization Role and access to projects for the group of users. -- You will not be able to provision Organization Role and Project access for the Group within Google Workspace. - -Note that it is advised you turn on **IDP Managed Access** if you are using SCIM Provisioning. Otherwise, Google Workspace and Mixpanel might fall out of sync. - -#### Configuration Setup - -1. Click the **Configure API Integration** button in Google Workspace to begin. - -![Google Workspace SCIM 2 Image](/Google Workspace_scim2.png) - -2. Check the **Enable API Integration** box, then enter your SCIM token. - -Select the supported features (Create / Update / Deactivate) you wish to enable: - -![Google Workspace SCIM 3 Image](/Google Workspace_scim3.png) - -3. The following profile attributes are required to be sent from Google Workspace to Mixpanel: - -- Username -- Given name -- Family name -- Primary email - -![Google Workspace SCIM 4 Image](/Google Workspace_scim4.png) - -4. Select and assign the users you wish to provision: - -![Google Workspace SCIM 5 Image](/Google Workspace_scim5.png) - #### Troubleshooting 1. If a Mixpanel account has already been created with the Google Workspace user's email (their Google Workspace Username) and that account is **not a member** of your Mixpanel organization, provisioning setup for that Google Workspace user will fail. To resolve this, manually invite the existing user to your organization. From 5bf707d4ab27b4b7a9e611808298d79c22200518 Mon Sep 17 00:00:00 2001 From: Leonardo Fratini Date: Mon, 29 Sep 2025 16:57:44 +0200 Subject: [PATCH 3/6] fixed images in google.md --- pages/docs/access-security/single-sign-on/google.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/pages/docs/access-security/single-sign-on/google.md b/pages/docs/access-security/single-sign-on/google.md index f8ce38eef4..84ea4f7408 100644 --- a/pages/docs/access-security/single-sign-on/google.md +++ b/pages/docs/access-security/single-sign-on/google.md @@ -26,7 +26,8 @@ B. Follow [Google Workspace's documentation on setting up a new application](ht #### Configure SAML A. If you use the Mixpanel app from the store, the following SAML configuration is already built into the app. -![CleanShot 2025-09-16 at 11.08.34](/Users/leonardo.fratini/Library/Application Support/CleanShot/media/media_MQGkDvuFTS/CleanShot 2025-09-16 at 11.08.34.jpg) + +![use_existing_app](https://github.com/user-attachments/assets/4d42cf48-9b1e-4be2-8b56-ec76edaad118) B. If you create a custom app, you must fill the form found in the **Configure SAML** menu in Google Workspace. Make sure that the following fields are adjusted to exactly match the corresponding values: @@ -36,23 +37,25 @@ B. If you create a custom app, you must fill the form found in the **Configure S The following screenshot highlights what you should place in the fields: -![CleanShot 2025-09-29 at 16.30.49](/Users/leonardo.fratini/Library/Application Support/CleanShot/media/media_V4Fjk2TRhv/CleanShot 2025-09-29 at 16.30.49.jpg) +![custom_saml_app](https://github.com/user-attachments/assets/be8660ff-084f-409e-9dec-49e17b7563e6) Additionally, it is required that you use `email` as an attribute statement, other attributes we recommend include `firstName` and `lastName`. -![CleanShot 2025-09-16 at 11.13.30](/Users/leonardo.fratini/Pictures/screenshots/CleanShot 2025-09-16 at 11.13.30.jpg) +![attr_mapping](https://github.com/user-attachments/assets/b10ea8bf-ff1a-4270-8b97-0d078ae46fde) ### Obtain Information From Google Workspace In order to configure Mixpanel use with Google Workspace, you must first obtain your **Public Certificate**, **SSO URL**, and **Entity ID**. To access this information, access the Mixpanel app in Google Workspace (or create a custom app) first select **DOWNLOAD METADATA**. Then, grab the **SSO URL** and **Entity ID** as well as the certificate to upload in Mixpanel (we recommend adding the expiration date to the file name to make it easier to manage in Mixpanel). -![CleanShot X 2025-09-29 16.41.42](/Users/leonardo.fratini/Library/Application Support/CleanShot/media/media_D1Qaajbj83/CleanShot X 2025-09-29 16.41.42.png) + +![google_metadata](https://github.com/user-attachments/assets/d1ea2115-eaf7-4cde-a01d-b9bb248314e3) ### Enable SSO From Mixpanel, navigate to your **Organization Settings** and then the **Access Security** tab. From the **2FA & SSO** menu, upload your **Public Certificate** and add your **SSO URL** and **Entity ID** to the **Identity Provider Sign-In URL** and **Issuer URL**, respectively. -![CleanShot 2025-09-29 at 16.45.33](/Users/leonardo.fratini/Library/Application Support/CleanShot/media/media_1YIbDnb7hQ/CleanShot 2025-09-29 at 16.45.33.jpg) + +![sso_settings_in_mp](https://github.com/user-attachments/assets/e97be4c6-dc1f-44d1-adb4-530679bca9ba) Optionally toggle **Require Single Sign-On** to prevent your users from logging in with a username and password. Organization Owners and Admins will still be able to log in using username and password in case SSO is not set up correctly. From d679e0ee1040c130849988a43648970d3708c322 Mon Sep 17 00:00:00 2001 From: Leonardo Fratini Date: Tue, 30 Sep 2025 09:21:10 +0200 Subject: [PATCH 4/6] Changing file extension from google.md to google.mdx --- .../docs/access-security/single-sign-on/{google.md => google.mdx} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename pages/docs/access-security/single-sign-on/{google.md => google.mdx} (100%) diff --git a/pages/docs/access-security/single-sign-on/google.md b/pages/docs/access-security/single-sign-on/google.mdx similarity index 100% rename from pages/docs/access-security/single-sign-on/google.md rename to pages/docs/access-security/single-sign-on/google.mdx From 0a0fb494d6d34337e3f83a9671f2e8b07ab2ca46 Mon Sep 17 00:00:00 2001 From: Leonardo Fratini Date: Tue, 30 Sep 2025 10:23:12 +0200 Subject: [PATCH 5/6] Create faq.mdx --- pages/docs/access-security/single-sign-on/faq.mdx | 1 + 1 file changed, 1 insertion(+) create mode 100644 pages/docs/access-security/single-sign-on/faq.mdx diff --git a/pages/docs/access-security/single-sign-on/faq.mdx b/pages/docs/access-security/single-sign-on/faq.mdx new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/pages/docs/access-security/single-sign-on/faq.mdx @@ -0,0 +1 @@ + From 774c466578e561237ca6fe9c88e9642a59ebbb36 Mon Sep 17 00:00:00 2001 From: Leonardo Fratini Date: Thu, 2 Oct 2025 09:10:09 +0200 Subject: [PATCH 6/6] Delete pages/docs/access-security/single-sign-on/faq.mdx --- pages/docs/access-security/single-sign-on/faq.mdx | 1 - 1 file changed, 1 deletion(-) delete mode 100644 pages/docs/access-security/single-sign-on/faq.mdx diff --git a/pages/docs/access-security/single-sign-on/faq.mdx b/pages/docs/access-security/single-sign-on/faq.mdx deleted file mode 100644 index 8b13789179..0000000000 --- a/pages/docs/access-security/single-sign-on/faq.mdx +++ /dev/null @@ -1 +0,0 @@ -