Setup Single Sign-On (SSO) Service
You can configure MapBusinessOnline to use your organization’s identity provider for logging in users. To implement this option the identity provider shall support SAML 2.0 or a newer protocol and your MapBusinessOnline account must have Team subscription.
In this article we describe how to setup Single Sign On with Okta, a leading identity service. First you need to configure Okta and then MapBusinessOnline.
Configure Okta
- You can start by configuring MapBusinessOnline SSO settings, downloading them in XML file, and applying the setting to your identity provider. Since Okta doesn’t support loading SSO settings from XML, let’s start by configuring the Okta identity provider.
- First, you need MapBusinessOnline’s signature and encryption certificate. It is available by the link and on the account Web page on the Team’s Single Sign On tab.
- Log into your Okta organization as a user with administrative privileges.
- Press Admin button on the menu bar (displayed on the picture below).
- On the right sidebar click 'Add Applications' item.
- Press 'Create New App' button.
- In 'Create a New Application Integration' dialog select 'SAML 2.0' option, then press Create button.
- On the first page specify general settings like Application name and press Next button.
- Copy the URL you can see below into 'Single sign on URL' box in Okta settings. Check 'Use this for Recipient URL and Destination URL' box on (that saves you time setting the same value into Recipient and Destination URLs manually).
https://www.mapbusinessonline.com/Account.aspx/samlresponse
-
- Enter sso.mapbusinessonline.com into 'Audience URI (SP Entity ID)' box.
sso.mapbusinessonline.com
-
- Select Persistent for Name ID format.
- MapBusinessOnline supports following Name ID formats:
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
- urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- If you want to setup assertion encryption, response signing, or single logout use the 'Show Advanced Settings' link in Okta UI. Otherwise go straight to step 15 in this article.
- By default Response signing is ON. To turn it OFF just select 'Unsigned' value in corresponding box. For signature choose RSA-SHA256 and SHA256 algorithms. Note that some older algorithms are not supported by MBO for better security.
- Setup assertion encryption. Select 'Encrypted' in 'Assertion Encryption' box. Choose AES256-CBC and RSA-OAEP as encryption algorithms. Download MapBusinessOnline Encryption certificate by this link and set it in 'Encryption Certificate' box.
- If you want to setup Logout then check 'Allow application to initiate Single Logout' box. Edit boxes for 'Single Logout URL', 'SP Issuer' and 'Signature Certificate' become visible.
- Copy the URL you can see below into 'Single Logout URL' box in Okta settings.
https://www.mapbusinessonline.com/Account.aspx/samlresponse
- Enter sso.mapbusinessonline.com into ' SP Issuer ' box.
sso.mapbusinessonline.com
- Download MapBusinessOnline Signature certificate by this link and set it in 'Signature Certificate' box.
- Add attribute statements to simplify registration of new users in MapBusinessOnline. Following attributes are supported:
- givenname or firstname
- lastname
- streetaddress
- country or countrycode
- stateorprovince or state
- postalcode, zip or zipcode
- Here is an example of configured attribute statements:
- Phew! SAML has been configured. Click Next and then Finish buttons.
- Now save your application settings as they are required to configure SSO on MapBusinessOnline side. You can download settings by the 'Identity Provider metadata' link or just copy the link itself.
- Finally click Assignments on the menu and to assign users or groups to the SSO application.
Configure MapBusinessOnline
- Once the identity provider has been configured, go to MapBusinessOnline Account page and select the Team’s Single Sign On tab.
- The domain name will be copied from the e-mail address you provided upon registration. If you used a public e-mail address like gmail, it’s time to change your account settings to use a corporate e-mail address. You can do that from the 'Account information' tab on the Account page.
- The easiest way to configure MBO is to copy the URL pointing to the SSO settings into the 'URL to identity provider’s settings' box. See step 17 in the 'Configure Okta' article where we copy the URL in Okta.
- If you don’t have a URL but you have a file with SSO settings, then select the corresponding option on the tab.
- Check 'Assertions are encrypted', 'Assertions are signed', and 'Authentication requests and responses are signed' boxes to match the configuration on the identity provider’s side.
- Finally press the Save button.
- You are all set. Now your users can go to the Account page and set up the SSO login option.