Mapiq Office Shifts offers two means of authentication: Self Registration and Single Sign On (SSO). Within this article you will read more about these forms of authentication and how it is setup.
Authentication methods
Click here to read more about the configuration of Single Sign On
By using Single Sign On (SSO), employees of your organization will experience a seamless authentication experience. Some advantages of SSO are:
- User information is exchanged from your Active Directory with Mapiq as part of the Single Sign On process and it is therefore not required for users to enter information manually.
- Users authenticate using their company credentials and it is therefore not required for them to remember additional passwords
- Since authentication is done on your Identity Provider you will remain in full control of who has access to the application and who does not
- It is possible to exchange more user information on top of the information required for the user's profile. This information can be used for additional features of Mapiq Office Shifts. Please find an overview below:
| (click for more info) | Feature required? | SSO required? |
|---|---|---|
| User profile | Yes | No * |
| Automatic profile assignment | Highly recommended | Yes |
| Mapiq API | No | No ** |
| Multiple environments | No | Yes |
* The user profile can be created via both Self Registration as well as Single Sign On
** SSO is only required when the External Id should be included in the API response
Protocols
Mapiq's Office Shifts supports Single Sign On using the SAML2.0 or the OpenId Connect protocol.
As it is required to exchange more than just the basic information with Mapiq during login, Mapiq recommends the use of the SAML2.0 protocol as additional claims can be easily configured with this protocol.
Account management
The Mapiq applications utilize the Just In Time (JIT) principle for Single Sign On meaning that users are created in the application's backend the moment the user logs-in for the first time. Users can be removed from your environment by deleting them in the administrator portal and revoking access within your Identity Provider.
Mapiq does not support SCIM (System for Cross-domain Identity Management) or other identity frameworks/integrations, although this is something which is being looked in to for future development.
Using Self Registration as the authentication mechanism allows for a very quick time to market as no integrations with your internal IT systems are required. Instead, your employees will follow a short sign up process and register themselves within Mapiq's backend (Microsoft Azure AD B2C).
The following steps are required to setup Self Registration for access to your organization's Mapiq Office Shifts environment:
- You provide a list of email domains related to your organization (generic domains like @gmail.com or @outlook.com are not allowed) which are whitelisted by Mapiq. Only registrants with an email matching these domains will be allowed to register to your environment and ownership of this email address is validated by sending a confirmation email to that email address
- During registration the user is required to provide some personal information which is used to create their user profile. The data in the user profile is used in multiple ways, such as personalization of the User Interface by addressing users by their name. The following information is to be provided by the registrant:
- Email address
- First name
- Last name
- Password
- After creation of the User profile, the user can login to your Mapiq Office Shifts environment using their email address and a password.
- To revoke user access to your environment (e.g. when an employee leaves the company) you should request this via Mapiq's support
Getting started with Self Registration is very easy. Please complete the onboarding form at the bottom of this page and return this to your contact at Mapiq
Authentication flow
Mapiq Office Shifts supports four different login scenarios:
- Customer A uses Self Registration with a single whitelisted domain
- Customer B uses Single Sign On with a single whitelisted domain
- Customer C uses Self Registration with multiple whitelisted domains
- Customer D uses Single Sign On with multiple whitelisted domains
Enterprise customers have the possibility for more complex configurations, examples of which are:
- Having multiple identity providers per environment
- Combining Single Sign On and Self Registration per environment
- Having multiple environments
An appropriate design matching your business needs will be drafted together with one of Mapiq's Solution Architects upon request.
-