Single Sign On

Keep your dashboard account secure

Overview

Set up Single Sign On (SSO) for your employees to login to the MetaMap dashboard with their existing work email credentials.

You can customize your dashboard login page to use a range of identity providers (IDPs) - such as Microsoft Azure Active Directory and Okta Workforce, as well as social login providers - Google, Linkedin, Slack and more.

User experience

When you set up an enterprise connection, your users will be directed to your chosen identity provider to authenticate every time they sign up or login.

Supported identity providers (IDPs)

We support the following enterprise identity providers:

  • SAML
  • OpenID Connect
  • Okta Workforce
  • Google Workspace
  • Microsoft Azure AD
  • ADFS
  • Active Directory/ LDAP
  • Ping Federate

Supported social logins

We support the following social logins: Google, Apple, Facebook, Twitter, LinkedIn, Microsoft, GitHub, Instagram, WordPress, Amazon, Salesforce, PayPal, Shopify, WeChat, Line, QQ, RenRen, VK, Yandex, Microsoft Office 365, Dropbox, and more.

Setup instructions

📘

Need help?

Contact [email protected] and we would be glad to assist

Step 1: Configure your identity provider

Microsoft Azure Active Directory

  1. Set up a new Active Directory (AD) application

    Follow Microsoft’s documentation on how to create a new Active Directory application in your Active Directory portal: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

  2. Enter the following Redirect URI in your new AD application

    https://auth.getmati.com/login/callback

  3. Collect the following data from your Active Directory portal

    1. Client secret

      1. Under Manage > Certificates & secrets, click to create a new client secret
      2. Copy the client secret and the expiration date
    2. Application client ID

      1. In your new application, click on Overview
      2. Copy the Application ID and include it in the email
  1. Primary domain

    1. In your new application, set up Primary domain. It should be the one visible under Overview

📘

Note on email verification

Only users with a configured email in your Active Directory will be able to use SSO to enter MetaMap’s dashboard.

By default, we will assume that any user added to your Active Directory has already verified their email, and we will not require them to re-verify their email on their first login to MetaMap. If you would like to change this, please let us know.

Okta Workforce

  1. Set up a new OKTA OpenID Connect (OIDC) web app integration

    Follow Auth0’s documentation on how to create a new OIDC application on OKTA portal: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta

  1. Enter the following Sign-in redirect URI in your new Okta web app application

    https://auth.getmati.com/login/callback

  2. Collect the following data from your Okta application

    1. Client ID

      1. In your new application, click on General
      2. Copy the Client ID and include it in the email
  1. Client secret

    1. Under General > Client Secrets, click to Generate new secret
    2. Copy the client secret and include it in the email
  2. Domain for Redirect URL

    1. Configure a Custom Domain or use default OKTA’s domain and include it in the email
      For example, in the screenshot below, the domain you should send us would be dev-27475084-admin.okta.com

SAML

  1. Configure your IDP as required to collect the following
    1. Sign In URK
    2. X509 Signing Certificate
      SAMLP server public key encoded in PEM or CER format
    3. Sign Out URL
      Optional: when empty this field defaults to the Sign In URL.
    4. User ID Attribute
      Optional: This is the attribute in the SAML token that will be mapped to the user_id property in Auth0.
    5. Sign Request Algorithm
      RSA-SHA256 or RSA-SHA1
    6. Sign Request Algorithm Digest
      SHA256 or SHA1
    7. Protocol Binding
      HTTP-Redirect or HTTP-POST
      Applies only to the SAML Request Binding. The SAML Response Binding only supports HTTP-POST.
  2. Enter the following Redirect URI in IDP
    1. https://auth.getmati.com/login/callback

OpenID Connect

  1. Configure your IDP as required to collect the following
    1. Issuer URL
      The URL of the discovery document of the OpenID Connect provider you want to connect with.
    2. Client ID
      Obtaining the Client ID differs across providers. Please check your provider's documentation.
  2. Enter the following Redirect URI in IDP
    1. https://auth.getmati.com/login/callback

Google Workspace

  1. Configure your IDP as required to collect the following
    1. Google Workspace Domain
    2. Client ID
    3. Client Secret
  2. Enter the following Redirect URI in IDP
    1. https://auth.getmati.com/login/callback

ADFS

  1. Configure your IDP as required to collect the following
    1. ADFS Metadata Source
      ADFS URL or Federation Metadata File
    2. ADFS URL
  2. Enter the following Redirect URI in IDP
    1. https://auth.getmati.com/login/callback

Active Directory/ LDAP

  1. Configure your IDP as required to collect the following
    1. Display name
      If set, Universal Login will show a button "Continue with {Display Name}".
    2. Logo URL
      If set, Universal Login will show this icon on the 'Continue with {Display Name}' button. Image will be displayed as a 20x20px square.
    3. IdP Domains
      Optional: Comma-separated list of the domains that can be authenticated in the Identity Provider. Only needed for Identifier First authentication flows.
  2. Enter the following Redirect URI in IDP
    1. https://auth.getmati.com/login/callback

Ping Federate

  1. Configure your IDP as required to collect the following
    1. PingFederate Server URL
    2. X509 Signing Certificate
      PingFederate server public key encoded in PEM or CER format
    3. Sign Request Algorithm
      RSA-SHA256 or RSA-SHA1
    4. Sign Request Algorithm Digest
      SHA256 or SHA1
  2. Enter the following Redirect URI in IDP
    1. https://auth.getmati.com/login/callback

Step 2: Send your configuration details to MetaMap

Send the data specified in the previous step to [email protected] securely fromthe email associated with an Admin user in your MetaMap dashboard account.

In your email include:

  • What login methods (identity providers, social logins, and/or email + password) you would like to make available for your dashboard users. You can add as many as you want.
  • The date you would like SSO enabled on your dashboard
  • The data required from Step 1. using an "archive" OR the "output file" from the encryption instructions below

🔐

Encrypt sensitive data before sending it to MetaMap

We will require you to send your Client ID and Client Secret to us securely for us to configure in our authentication platform. There are two options:

  1. Use an archive with a password

    1. Create a text file with the Client ID and Client Secret IDs.txt
    2. Archive the file with a password. 7-Zip is a free file archiver
    3. Use a strong password with at least 16 characters in length
    4. Send the archive over email to [email protected]
    5. Send the password to MetaMap via an alternative channel like Slack or SMS
    6. Delete the text file and archive from the computer

  2. Use a PGP encrypted file

    1. Create a text file with the Client ID and Client Secret IDs.txt
    2. Download MetaMap’s public PGP key MetaMap.pub
    3. Import MetaMap’s public PGP key gpg --import MetaMap.pub
    4. Encrypt the text file gpg --encrypt --recipient [email protected] IDs.txt
    5. Send the resulting output file IDs.txt.gpg over email to [email protected]
    6. Delete the text file from the computer