Setting up Single Sign On (SSO) for Mapiq’s Office Shifts is very easy. There are only a few steps that we take together to get things up and running. Let’s get started.
As it is required to exchange more than just the basic information with Mapiq during login, Mapiq recommends the use of the SAML2.0 protocol as additional claims can be easily configured with this protocol.
Two applications: test and production
Mapiq offers multiple applications utilizing SSO. These applications are served via two authentication services: test and production.
- Test: https://ssovalidation.mapiq.com
The test application is configured prior to the production application such that the configuration can be tested without affecting the production database. Additionally, the test application gives instant feedback via the user interface on the configuration. - Production: https://shifts.mapiq.com and https://admin.mapiq.com
The production application consists of two portals: shifts for the regular employee, and admin for administrators. Although these have separate URLs they share the same SSO configuration.
Goals
| Step 1-2 | To configure Single Sign On within your Identity Provider using the values provided by Mapiq and return the completed onboarding form to your Mapiq contact. |
| Step 3-5 | To test and validate the configuration prior to go-live |
| Step 6 | To enjoy Mapiq Office Shifts with Single Sign On |
Step 1: Register the test and production applications in your IdP
Please configure both applications with the following information
Metadata URL, Entity Id and Assertion Consumer Service (ACS):
Test:- Metadata: https://mapiqssovalidation.b2clogin.com/mapiqssovalidation.onmicrosoft.com/B2C_1A_SsoTest/samlp/metadata?idptp=samlmetadata
- EntityId: https://mapiqssovalidation.b2clogin.com/mapiqssovalidation.onmicrosoft.com/B2C_1A_TrustFrameworkBase_SsoTest
- ACS: https://mapiqssovalidation.b2clogin.com/mapiqssovalidation.onmicrosoft.com/B2C_1A_TrustFrameworkBase_SsoTest/samlp/sso/assertionconsumer
Production:
- Metadata: https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/B2C_1A_signup_signin/samlp/metadata?idptp=samlmetadata
- EntityId: https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/B2C_1A_TrustFrameworkBase
- ACS: https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer
Signing
| Signature | Signing required |
| Assertion | Signing required |
Required feature: user profile
More information: Please see Mapiq's privacy policy
Requirements: all claims should be configured
| AD property | Description | Expected claim namespace | Expected claim name |
|---|---|---|---|
| Unique user id | A claim value unique to the user.
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims | name |
| First name | The user's first name (e.g. 'Jane') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | givenname |
| Last name | The user's last name (e.g. 'Doe') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | surname |
| Display name | The user's full name (e.g. 'Jane Doe') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | displayname |
| Email address | The user's email address | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | emailaddress |
Optional feature: automatic profile assignment
More information: Please see the support article on automatic profile assignment
Requirements: at least one claim should be configured
| Business unit | The business unit the user is part of (e.g. 'company logistics') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | businessunit |
| Country | The country in which the user is based (e.g. 'NL', or 'The Netherlands') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | country |
| Department | The department the user is part of (e.g. 'finance', or 'IT support') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | department |
| Office | The office where the user works (e.g. 'Amsterdam', or 'London') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | office |
| Job title | The user's job title (e.g. 'senior manager', or 'trainee') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | jobtitle |
Optional feature: Mapiq API
More information: Please see the support article on Mapiq's API
Requirements: the configuration of this claim is optional
| External Id | For more information, please see the article on the Mapiq API | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | externalid |
Optional feature: multiple environments
More information: Please see the support article on multiple environments
Requirements: at least one claim should be configured
| Country | The country in which the user is based (e.g. 'NL', or 'The Netherlands') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | country |
| Office | The office where the user works (e.g. 'Amsterdam', or 'London') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | office |
| Subscription Key | For more information, please see the article on multiple environments | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | mapiqsubscriptionkey |
Please configure both applications with the following information
Return URL:
- Test: https://mapiqssovalidation.b2clogin.com/mapiqssovalidation.onmicrosoft.com/oauth2/authresp
- Production: https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/oauth2/authresp
Scopes
Please include the following scopes:
- openid
- profile
Required feature: user profile
More information: Please see Mapiq's privacy policy
Requirements: all claims should be configured
| AD property | Description | Expected claim namespace and name | Scope |
|---|---|---|---|
| Unique user id | A claim value unique to the user (e.g. email address, employee id, or the object id from the AD) | sub | openid |
| First name | The user's first name (e.g. 'Jane') | given_name | profile |
| Last name | The user's last name (e.g. 'Doe') | family_name | profile |
| Display name | The user's full name (e.g. 'Jane Doe') | name | profile |
| Email address | The user's email address |
Optional feature: automatic profile assignment
More information: Please see the support article on automatic profile assignment
Requirements: at least one claim should be configured
| Business unit | The business unit the user is part of (e.g. 'company logistics') | business_unit | openid, email, or profile * |
| Country | The country in which the user is based (e.g. 'NL', or 'The Netherlands') | country | openid, email, or profile * |
| Department | The department the user is part of (e.g. 'finance', or 'IT support') | department | openid, email, or profile * |
| Office | The office where the user works (e.g. 'Amsterdam', or 'London') | office | openid, email, or profile * |
| Job title | The user's job title (e.g. 'senior manager', or 'trainee') | job_title | openid, email, or profile * |
Optional feature: Mapiq API
More information: Please see the support article on Mapiq's API
Requirements: the configuration of this claim is optional
| External Id | For more information, please see the article on the Mapiq API | external_id | openid, email, or profile * |
Optional feature: multiple environments
More information: Please see the support article on multiple environments
Requirements: at least one claim should be configured
| Country | The country in which the user is based (e.g. 'NL', or 'The Netherlands') | country | openid, email, or profile * |
| Office | The office where the user works (e.g. 'Amsterdam', or 'London') | office | openid, email, or profile * |
| Subscription Key | For more information, please see the article on multiple environments | mapiq_subscription_key | openid, email, or profile * |
* These claims need to be added to either the openid, email, or profile scopes, and should not be nested.
For help on configuring these scopes and claim, please refer to the documentation of your Identity Provider and, if required, reach out to their support
- Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping
- Okta: https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-custom-claim/
- Auth0: https://auth0.com/docs/configure/apis/scopes/sample-use-cases-scopes-and-claims#add-custom-claims-to-a-token
Step 2: Complete and share the SSO onboarding form
Download the SSO Onboarding form at the bottom of this page and share it with your contact at Mapiq
Step 3: Test the configuration (wait for GO from Mapiq)
Please follow the instructions in the article on Testing your SSO integration
Step 4: Validate your production configuration
Please validate that the configuration of your production application matches that of your test application.
Step 5: Test the configuration on the production environment (wait for GO from Mapiq)
Once SSO for the production environment has been configured by Mapiq you should be able to login at https://shifts.mapiq.com
Step 6: Start using the application
Go to https://shifts.mapiq.com for the user application and https://admin.mapiq.com for the administrator portal
-