SSO is currently available as an add-on for select Enterprise plans. Contact your account manager or message our support team for more details.
What is SSO?
Single Sign-On (SSO) is an authentication method that allows users to log in to multiple applications with a single set of corporate credentials. By using SSO, organizations can centralize access control, enhance security with features like multi-factor authentication, and simplify the user experience. Instead of managing usernames and passwords specifically for CloudCover, users can authenticate with their corporate credentials.
For Users
Logging in with SSO
Single Sign-On (SSO) allows you to log in to Pandora CloudCover using your organization's credentials. Here’s how to log in:
Go to https://tune.cloudcovermusic.com and click Log in with SSO or go directly to https://tune.cloudcovermusic.com/#/login/sso
Enter your Company Code (often your web domain, e.g., mycompany.com) and you will be redirected to your organization’s login portal.
If you do not know your company code, please reach out to support.
Authenticate using your usual corporate user credentials (this may include multi-factor authentication if enabled by your organization).
Once authenticated, you will be automatically redirected to Pandora CloudCover.
Pro Tip: Bookmark the SSO login link with your company code:
Accessing your Locations
Your access to specific locations and zones within Pandora CloudCover is determined by your administrator. If you have been assigned access:
In the Now Playing bar, choose a location from the list of assigned locations.
Go to the Zones Dashboard to manage and oversee your assigned locations with ease.
You will only see the locations and zones assigned to you. If you require access to additional locations or zones, contact your CloudCover administrator.
SSO Setup and Configuration
Identity Provider Configuration
Use the instructions below to configure SSO with SAML. If you prefer to use OIDC, please contact Pandora CloudCover Support for assistance.
To configure SSO with SAML, you need to export the metadata file (in XML format) from your identity provider (IdP). This file contains critical information about your IdP, such as the entity ID and SAML endpoints, which are necessary for integrating with Pandora CloudCover. Ensure that this file is readily available before starting the setup process. If you need assistance exporting the metadata file, consult your IdP's documentation or contact their support team.
Pandora CloudCover supports a wide range of identity providers, including but not limited to:
Auth0
Google Workspace
Microsoft Entra ID (formerly Microsoft Azure Active Directory)
Okta
OneLogin
Ping Identity
Salesforce
Generic support for most SSO systems using SAML 2.0 or OIDC
For further information or technical assistance, feel free to reach out to our Support team.
Enabling SSO
Use the instructions below to configure SSO with SAML. If you prefer to use OIDC, please contact Pandora CloudCover Support for assistance.
To configure SSO with SAML:
Navigate to Account > Single Sign-On (SSO).
If you do not see this option, it means SSO has not yet been enabled on your account, or you are not the Account Owner. Please contact Support if you need assistance.
Set Status to Enabled.
Provide a Company Code, which serves as the unique identifier users will enter to authenticate with your IdP. This is typically your web domain (e.g., mycompany.com) for easy recognition and recall.
Upload the XML metadata file from your IdP.
Ensure that attribute mappings are correctly configured. You must map Email Address, First Name, and Last Name to the corresponding fields in your identity provider.
Click Save Changes to save your configuration.
Creating Users
Users are automatically created through "just-in-time provisioning" when they log in for the first time via SSO. However, new users are not assigned to any locations by default. Once a user profile is created, an Account Owner must manually assign them to the appropriate locations by navigating to Account > Users and editing the user's profile.
To manually create a User:
Go to Account > Users.
If you do not see this option, it means SSO has not yet been enabled on your account, or you are not the Account Owner. Please contact Pandora CloudCover Support if you need assistance.
Click Add User.
Enable Require SSO to enforce login with SSO credentials.
Leave this toggle unchecked for non-corporate users, such as temporary or contract workers, to allow login with CloudCover-issued credentials
For SSO External User ID, input the user's unique identifier as defined in your identity provider. When using SAML 2.0, this is typically specified in the NameID claim provided by your IdP.
You do not need to enter the Email Address, First Name, or Last Name, as these fields will automatically synchronize with the data in your identity provider.
Select the appropriate Timezone that corresponds to the user's physical location to ensure accurate reporting.
Choose the appropriate user permissions for the user and assign them access to the specific locations and zones they will manage (as shown below)
Click Create User to save the user profile.
Transitioning from Location Logins
For many account, login credentials have been created for each physical location and shared among all individuals who need access. This requires users managing multiple locations to sign in and out of each location individually.
With SSO activated on your account, unique credentials are created for each individual user, enabling them to log in once and seamlessly manage all their assigned locations from a single account. This approach is significantly more flexible, enhances security, and improves the user experience.