[ Enterprise ]
Using SAML Single Sign-on (SSO) authentication, Mavenlink customers can manage system access with their identity management system. This allows users to authenticate automatically and securely using a centrally-managed identity management tool. With SAML SSO, your account members will no longer have to remember their password for Mavenlink as your Identity Provider takes care of that.
WHAT IS SAML?
SAML (Security Assertion Markup Language) is an open standard for authentication between an Identity Provider and a Service Provider. Okta, OneLogin, and Active Directory Federation Services are examples of Identity Providers (IDPs) and Mavenlink is your Service Provider. Using SAML, organizations can configure browser-based SSO authentication.
SAML SUPPORT IN MAVENLINK
Mavenlink currently supports the ability to authenticate SSO users through a SAML Identity Provider, including:
Authenticating into Mavenlink through the SAML Identity Provider dashboard
Responding to log-out signals to terminate the Mavenlink session
Restricting authentication to SAML users only (Strict SSO) at the account level
AVAILABILITY AND ACCESS
Single sign-on using SAML is natively accessible to Enterprise clients; it is also available to Premier customers as an additional service. Before you can enable Single Sign On, you must have custom branding enabled. Specifically, you need to have a custom domain such as yourdomain.mavenlink.com as it’s required for your Single Sign On URL.
To enable SAML, Account Admins can navigate to https://app.mavenlink.com/settings/account/security
From your Identity Provider, such as Okta, OneLogin or Active Directory Federation Services, you’ll need to gather the following information:
- Identity Provider SSO URL This is the login url that Mavenlink will use to redirect account members to your identity provider. Keep in mind that depending on your identity provider, this can have a number of different names. In Okta this is called the Identity Provider SSO URL or the Post Back URL. In OneLogin this is called the SAML 2.0 Endpoint. This is also sometimes known as SAML SSO URL or in ADFS, Relaying party identifier. For Google SAML, you can find the needed URL by clicking on the Google Apps menu in Gmail (top right, 3x3 grid of squares icon), and copy the URL for the Mavenlink app.
- Issuer This is a unique identifier for your identity provider. In some cases, this is called the entity id. This will typically be a URL.
- X.509 Certificate This is a public key for your SAML configuration and should start with -----BEGIN CERTIFICATE-----
In addition to these fields, there are a few optional, but recommended fields for your Single Sign On experience in Mavenlink:
- Email Domain This will be used to identify individuals who are not yet on your Mavenlink account. When such individuals are identified, we will instruct them to contact their Account Administrator to invite them to your Mavenlink account.
- Identity Provider Name This is used on our login page to prompt users to login through their Identity Provider.
- Logout URL If specified, this will redirect the user to a URL of your choice after they log out of the Mavenlink system. This is often used to redirect to a central SAML logout to sign the user out of all SAML-connected applications. Alternatively, this could be used to take the user back to the SSO homepage.You can also choose whether to restrict login access to Mavenlink to only your Identity Provider. Selecting this option enforces that all members on your account must authenticate through your SAML 2.0 Identity Provider.
In order for Mavenlink to communicate back to your Identity Provider, you’ll need to enter in your Relaying Party SAML 2.0 SSO Service URL such as https://yourdomain.mavenlink.com/saml/consume into all of the following fields:
- Okta: Single Sign On URL, Recipient URL, Destination URL, Audience Restriction Audience URI (SP Entity ID)
- OneLogin: SAML Consumer URL, SAML Audience, SAML Recipient
For successful SAML SSO configuration, make sure to verify the following:
- Account emails in Mavenlink match the email set per each user in the Identity Provider
- Your Name ID format within the Identity Provider is set to email address
If you are getting the following error, "Invalid Signature on SAML Response", this may be due to your public X.509 Certificate in your SAML settings not matching the X.509 Certificate in the assertion that you're server is sending to Mavenlink.
You can inspect this for yourself by looking at the `ds:X509Certificate` value in the base64 decoded version of your SAML response. This has to match with the certificate setting in your Mavenlink account.
If you need further assistance with setting up SAML SSO or have any questions, please contact support at email@example.com.
In the future, we’ll have registered applications in Okta and OneLogin for even easier setup.