Security Assertion Markup Language (SAML) is an XML standard to help exchange user authentication. Below, we’ll go through the steps necessary to set up Mutiny on your SAML identity provider (idP).
Requesting information from Mutiny
The first step is to set up Mutiny in your SAML idP. In order to do that, you’ll first need some information from Mutiny. To request this information, please email support@mutinyhq.com.
- SP Metadata URL
- Single Sign-on URL (ACS)
- Direct Login URL
When setting up a new service provider, the information you need depends on your specific idP. Below are general instructions for two common flows.
Setup with your SP Metadata URL
If your idP supports configuring a service provider with metadata, you can use your unique SP Metadata URL in order to import your settings. If your idP needs the Metadata XML, visit the SP Metadata URL in your browser and copy the XML content.
Please note that some idPs may not automatically include all the required user attributes needed by Mutiny to create an account, so please confirm that the SAML attributes match up with the attribute statements described in the manual setup below.
Setup manually
- When adding the service provider configuration manually you will need the following information:
- Single Sign-on URL (ACS): provided by Mutiny (above).
- Audience URI (SP Entity ID): https://app.mutinyhq.com/sp
- Name ID format: Email Address (this isn’t always the default on the idP, Mutiny requires an email as the unique identifier)
- Username: Email. If applicable, ensure that the id/username sent for the user is actually the email address.
Attribute Statements
Mutiny requires basic user information before creating an account. Please configure your idP to include the following custom SAML attributes:
| Name | Name format | Value | Required? |
|---|---|---|---|
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
Email address | Yes |
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
|
Full name | Yes |
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
|
Given name | Yes |
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
|
Family name | Yes |
If a given name and family name are not provided, a full name can also be used if it contains both the given and family name.
Sending information to Mutiny
To complete the SAML setup, please provide the following information to Mutiny by sending it to support@mutinyhq.com.
- The idP metadata URL which will usually be provided during or after your setup.
- What email domains do you use at your company (e.g. mutinyhq.com at Mutiny)?
- Would you like to force all users with your company email domains to use SAML? If this is the case, nobody will be allowed to log in using the email/password form or other OAuth providers (eg. Google).
- Would you like to restrict access to your company’s Mutiny account to only the email domains you’ve provided? If this is the case, anyone logging in with SAML will only be allowed access if their email matches one of the domains.
- Would you like to automatically provision new users? If this is the case, you will no longer need to manually invite users individually. Instead, they will automatically get access when they attempt to log in using SAML.
Comments
0 comments
Please sign in to leave a comment.