Configuring Single Sign On

Setting up Single Sign On (SSO) for Mapiq is very easy. There are only a few steps that we take together to get things up and running. Let’s get started.


What is Single Sign On?

By using Single Sign On (SSO), employees of your organization will experience a seamless authentication experience. Some advantages of SSO are: 

  • User information is exchanged from your Active Directory with Mapiq as part of the Single Sign On process and it is therefore not required for users to enter information manually. 
  • Users authenticate using their company credentials and it is therefore not required for them to remember additional passwords
  • Since authentication is done on your Identity Provider you will remain in full control of who has access to the application and who does not

What Single Sign On protocols does Mapiq support?

Mapiq supports Single Sign On using the SAML2.0 or the OpenId Connect protocol.


Some of Mapiq's features require more user information than just the basic information (name / email). Mapiq therefore recommends the use of the SAML2.0 protocol as additional claims can be easily configured with this protocol.

Account provisioning

The Mapiq applications utilize the Just In Time (JIT) principle for Single Sign On meaning that users are created in the application's backend the moment the user logs-in for the first time. Users can be removed from your environment by deleting them in the administrator portal and revoking access within your Identity Provider.

Mapiq does not support SCIM (System for Cross-domain Identity Management) or other identity frameworks/integrations, although this is something which is being looked in to for future development.

Architecture

Mapiq offers multiple applications utilizing SSO. These applications are served via two authentication services: test and production. 

  • Test: https://ssovalidation.mapiq.com
    The test application is configured prior to the production application such that the configuration can be tested without affecting the production database. Additionally, the test application gives instant feedback via the user interface on the configuration.
  • Production: https://app.mapiq.com and https://admin.mapiq.com
    The production application consists of two portals: shifts for the regular employee, and admin for administrators. Although these have separate URLs they share the same SSO configuration.


Configuration

On average it takes 10 working days, from the moment of sharing a complete onboarding form with Mapiq (step 2), to realize the Single Sign On configuration
Step 1-2To configure Single Sign On within your Identity Provider using the values provided by Mapiq (in step 1, see below) and return the completed onboarding form to your Mapiq contact.

Step 3-5To test and validate the configuration prior to go-live

Step 6To enjoy Mapiq with Single Sign On 

Click here for troubleshooting

Step 1: Register the test and production applications in your IdP

SAML2.0 OpenId Connect

Please configure both applications with the following information

Metadata URL, Entity Id and Assertion Consumer Service (ACS):

Test:

Production: 

Signing

SignatureSigning required
AssertionSigning required

Required feature: user profile

More information: Please see Mapiq's privacy policy

Requirements: all claims should be configured

AD propertyDescriptionExpected claim namespaceExpected claim name
Unique user idA claim value unique to the user. 
  • e.g. email address, employee id, or the object id from the AD
  • Please ensure that this claim is part of the <AttributeStatement> of the SAML response as Mapiq will not extract this value from the subject
http://schemas.xmlsoap.org/ws/2005/05/identity/claimsname
First nameThe user's first name (e.g. 'Jane')http://schemas.xmlsoap.org/ws/2005/05/identity/claimsgivenname
Last nameThe user's last name (e.g. 'Doe')http://schemas.xmlsoap.org/ws/2005/05/identity/claimssurname
Display nameThe user's full name (e.g. 'Jane Doe')http://schemas.xmlsoap.org/ws/2005/05/identity/claimsdisplayname
Email addressThe user's email addresshttp://schemas.xmlsoap.org/ws/2005/05/identity/claims emailaddress

Optional feature: automatic profile assignment

More information: Please see the support article on automatic profile assignment

Requirements: at least one claim should be configured

Business unitThe business unit the user is part of (e.g. 'company logistics')http://schemas.xmlsoap.org/ws/2005/05/identity/claimsbusinessunit
CountryThe country in which the user is based (e.g. 'NL', or 'The Netherlands')http://schemas.xmlsoap.org/ws/2005/05/identity/claimscountry
DepartmentThe department the user is part of (e.g. 'finance', or 'IT support')http://schemas.xmlsoap.org/ws/2005/05/identity/claimsdepartment
OfficeThe office where the user works (e.g. 'Amsterdam', or 'London')http://schemas.xmlsoap.org/ws/2005/05/identity/claimsoffice
Job titleThe user's job title (e.g. 'senior manager', or 'trainee')http://schemas.xmlsoap.org/ws/2005/05/identity/claimsjobtitle

Optional feature: Mapiq API

More information: Please see the support article on Mapiq's API

Requirements: the configuration of this claim is optional

External IdFor more information, please see the article on the Mapiq API
http://schemas.xmlsoap.org/ws/2005/05/identity/claimsexternalid

Optional feature: multiple environments

More information: Please see the support article on multiple environments 

Requirements: at least one claim should be configured

CountryThe country in which the user is based (e.g. 'NL', or 'The Netherlands')http://schemas.xmlsoap.org/ws/2005/05/identity/claimscountry
OfficeThe office where the user works (e.g. 'Amsterdam', or 'London')http://schemas.xmlsoap.org/ws/2005/05/identity/claimsoffice
Subscription Key

For more information, please see the article on multiple environments

http://schemas.xmlsoap.org/ws/2005/05/identity/claimsmapiqsubscriptionkey

Step 2: Complete and share the SSO onboarding form

Download the SSO Onboarding form at the bottom of this page and share it with your contact at Mapiq

Step 3: Test the configuration (wait for GO from Mapiq)

Please follow the instructions in the article on Testing your SSO integration

Step 4: Validate your production configuration

Please validate that the configuration of your production application matches that of your test application.

Step 5: Test the configuration on the production environment (wait for GO from Mapiq)

Once SSO for the production environment has been configured by Mapiq you should be able to login at https://app.mapiq.com

Step 6: Start using the application

Go to https://app.mapiq.com for the user application and https://admin.mapiq.com for the administrator portal

-

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.