Setting up Single Sign On (SSO) for Mapiq is very easy. There are only a few steps that we take together to get things up and running. Let’s get started.
What is Single Sign On?
By using Single Sign On (SSO), employees of your organization will experience a seamless authentication experience. Some advantages of SSO are:
- User information is exchanged from your Active Directory with Mapiq as part of the Single Sign On process and it is therefore not required for users to enter information manually.
- Users authenticate using their company credentials and it is therefore not required for them to remember additional passwords
- Since authentication is done on your Identity Provider you will remain in full control of who has access to the application and who does not
What Single Sign On protocols does Mapiq support?
Mapiq supports Single Sign On using the SAML2.0 or the OpenId Connect protocol.
Some of Mapiq's features require more user information than just the basic information (name / email). Mapiq therefore recommends the use of the SAML2.0 protocol as additional claims can be easily configured with this protocol.
Account provisioning
The Mapiq applications utilize the Just In Time (JIT) principle for Single Sign On meaning that users are created in the application's backend the moment the user logs-in for the first time. Users can be removed from your environment by deleting them in the administrator portal and revoking access within your Identity Provider.
Mapiq does not support SCIM (System for Cross-domain Identity Management) or other identity frameworks/integrations, although this is something which is being looked in to for future development.
Architecture
Mapiq offers multiple applications utilizing SSO. These applications are served via two authentication services: test and production.
- Test: https://ssovalidation.mapiq.com
The test application is configured prior to the production application such that the configuration can be tested without affecting the production database. Additionally, the test application gives instant feedback via the user interface on the configuration. - Production: https://app.mapiq.com and https://admin.mapiq.com
The production application consists of two portals: shifts for the regular employee, and admin for administrators. Although these have separate URLs they share the same SSO configuration.
Configuration
On average it takes 10 working days, from the moment of sharing a complete onboarding form with Mapiq (step 2), to realize the Single Sign On configuration
| Step 1-2 | To configure Single Sign On within your Identity Provider using the values provided by Mapiq (in step 1, see below) and return the completed onboarding form to your Mapiq contact. |
| Step 3-5 | To test and validate the configuration prior to go-live |
| Step 6 | To enjoy Mapiq with Single Sign On |
Click here for troubleshooting
Step 1: Register the test and production applications in your IdP
Please configure both applications with the following information
Metadata URL, Entity Id and Assertion Consumer Service (ACS):
Test:- Metadata: https://mapiqssovalidation.b2clogin.com/mapiqssovalidation.onmicrosoft.com/B2C_1A_SsoTest/samlp/metadata?idptp=samlmetadata
- EntityId: https://mapiqssovalidation.b2clogin.com/mapiqssovalidation.onmicrosoft.com/B2C_1A_TrustFrameworkBase_SsoTest
- ACS: https://mapiqssovalidation.b2clogin.com/mapiqssovalidation.onmicrosoft.com/B2C_1A_TrustFrameworkBase_SsoTest/samlp/sso/assertionconsumer
Production:
- Metadata: https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/B2C_1A_signup_signin/samlp/metadata?idptp=samlmetadata
- EntityId: https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/B2C_1A_TrustFrameworkBase
- ACS: https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer
Signing
| Signature | Signing required |
| Assertion | Signing required |
Required feature: user profile
More information: Please see Mapiq's privacy policy
Requirements: all claims should be configured
| AD property | Description | Expected claim namespace | Expected claim name |
|---|---|---|---|
| Unique user id | A claim value unique to the user.
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims | name |
| First name | The user's first name (e.g. 'Jane') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | givenname |
| Last name | The user's last name (e.g. 'Doe') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | surname |
| Display name | The user's full name (e.g. 'Jane Doe') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | displayname |
| Email address | The user's email address | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | emailaddress |
Optional feature: automatic profile assignment
More information: Please see the support article on automatic profile assignment
Requirements: at least one claim should be configured
| Business unit | The business unit the user is part of (e.g. 'company logistics') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | businessunit |
| Country | The country in which the user is based (e.g. 'NL', or 'The Netherlands') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | country |
| Department | The department the user is part of (e.g. 'finance', or 'IT support') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | department |
| Office | The office where the user works (e.g. 'Amsterdam', or 'London') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | office |
| Job title | The user's job title (e.g. 'senior manager', or 'trainee') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | jobtitle |
Optional feature: Mapiq API
More information: Please see the support article on Mapiq's API
Requirements: the configuration of this claim is optional
| External Id | For more information, please see the article on the Mapiq API | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | externalid |
Optional feature: multiple environments
More information: Please see the support article on multiple environments
Requirements: at least one claim should be configured
| Country | The country in which the user is based (e.g. 'NL', or 'The Netherlands') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | country |
| Office | The office where the user works (e.g. 'Amsterdam', or 'London') | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | office |
| Subscription Key | For more information, please see the article on multiple environments | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | mapiqsubscriptionkey |
Please configure both applications with the following information
Return URL:
- Test: https://mapiqssovalidation.b2clogin.com/mapiqssovalidation.onmicrosoft.com/oauth2/authresp
- Production: https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/oauth2/authresp
Scopes
Please include the following scopes:
- openid
- profile
Required feature: user profile
More information: Please see Mapiq's privacy policy
Requirements: all claims should be configured
| AD property | Description | Expected claim namespace and name | Scope |
|---|---|---|---|
| Unique user id | A claim value unique to the user (e.g. email address, employee id, or the object id from the AD) | sub | openid |
| First name | The user's first name (e.g. 'Jane') | given_name | profile |
| Last name | The user's last name (e.g. 'Doe') | family_name | profile |
| Display name | The user's full name (e.g. 'Jane Doe') | name | profile |
| Email address | The user's email address |
Optional feature: automatic profile assignment
More information: Please see the support article on automatic profile assignment
Requirements: at least one claim should be configured
| Business unit | The business unit the user is part of (e.g. 'company logistics') | business_unit | openid, email, or profile * |
| Country | The country in which the user is based (e.g. 'NL', or 'The Netherlands') | country | openid, email, or profile * |
| Department | The department the user is part of (e.g. 'finance', or 'IT support') | department | openid, email, or profile * |
| Office | The office where the user works (e.g. 'Amsterdam', or 'London') | office | openid, email, or profile * |
| Job title | The user's job title (e.g. 'senior manager', or 'trainee') | job_title | openid, email, or profile * |
Optional feature: Mapiq API
More information: Please see the support article on Mapiq's API
Requirements: the configuration of this claim is optional
| External Id | For more information, please see the article on the Mapiq API | external_id | openid, email, or profile * |
Optional feature: multiple environments
More information: Please see the support article on multiple environments
Requirements: at least one claim should be configured
| Country | The country in which the user is based (e.g. 'NL', or 'The Netherlands') | country | openid, email, or profile * |
| Office | The office where the user works (e.g. 'Amsterdam', or 'London') | office | openid, email, or profile * |
| Subscription Key | For more information, please see the article on multiple environments | mapiq_subscription_key | openid, email, or profile * |
* These claims need to be added to either the openid, email, or profile scopes, and should not be nested.
For help on configuring these scopes and claim, please refer to the documentation of your Identity Provider and, if required, reach out to their support
- Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping
- Okta: https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-custom-claim/
- Auth0: https://auth0.com/docs/configure/apis/scopes/sample-use-cases-scopes-and-claims#add-custom-claims-to-a-token
Step 2: Complete and share the SSO onboarding form
Download the SSO Onboarding form at the bottom of this page and share it with your contact at Mapiq
Step 3: Test the configuration (wait for GO from Mapiq)
Please follow the instructions in the article on Testing your SSO integration
Step 4: Validate your production configuration
Please validate that the configuration of your production application matches that of your test application.
Step 5: Test the configuration on the production environment (wait for GO from Mapiq)
Once SSO for the production environment has been configured by Mapiq you should be able to login at https://app.mapiq.com
Step 6: Start using the application
Go to https://app.mapiq.com for the user application and https://admin.mapiq.com for the administrator portal
-