MazeMap supports Single Sign On (SSO) for increased security in accessing maps. With SSO, MazeMap Views can be secured for only signed-in-user access. At the moment, we support only the SAML Identity Provider. Below is the procedure for enabling SSO with SAML. MazeMap supports SAML 2.0
Information to provide to MazeMap
In order to configure SAML 2.0 with MazeMap, you need to provide MazeMap with:
Your IDPs Metadata as either
URL: This is the public url where the metadata for your IDP can be found. For example the IDP metadata for SurfNet can be found at https://metadata.surfconext.nl/idp-metadata.xml
XML File
Please send the URL or XML file to your Customer Success Manager
Configuring your IdP
You'll need to configure your IdP to enable federation.
MazeMap will provide you with a CUSTOMER_ID for each domain that requires federation. Please ask your CSM to confirm the Customer ID.
Assertion Customer Service (ACS) Endpoint: https://auth.mazemap.com/saml2/{CUSTOMER_ID}/callback?client_name={CUSTOMER_ID}SAML2
The endpoint where MazeMap’s Service will receive SAML assertions issued by the Identity Provider
Service Provider Entity Id : https://auth.mazemap.com/saml2/{CUSTOMER_ID}. This is a unique ID that identifies MazeMap’s service in the Identity Provider.
Accessing the service
After configuration, your maps can be accessed by going to https://use.mazemap.com?campusid={CAMPUS_ID} and using the SSO login menu.
USING OFFICE 365 AS YOUR IDENTITY PROVIDER (IDP)
Find instructions below on how to use Office365 as your IDP.
Create an Azure Active Directory Enterprise application. Login to your AAD Account
Click on Enterprise applications
Click on New application then Create your own application
Enter your desired name for your application
Under Getting Started, select Set up single sign on then select SAML
Consult the information you received from MazeMap. Given your CUSTOMER_ID fill in the following fields
Identifier (Entity ID): https://auth.mazemap.com/saml2/{CUSTOMER_ID}
Reply URL (Assertion Consumer Service URL): https://auth.mazemap.com/saml2/{CUSTOMER_ID}/callback?client_name={CUSTOMER_ID}SAML2
Logout Url (Optional): https://auth.mazemap.com/saml2/{CUSTOMER_ID}/logout
Note however that if this url is not set, users will not be redirected back to mazemap after single logout process.
Send the metadata url in the field App Federation Metadata Url to MazeMap
Relay State: Set this value to the url you want to be redirected to after you test the integration with the IDP-initiated Request. For the config in the image above, one will redirect to https://use.mazemap.com after a successful integration test.
Please send the Application ID to the CSM assigned to the project, as that needs to be included in the configuration on MazeMap’s end. In order to collect the Application ID, click on the MazeMap SSO in the list of applications under “Enterprise Applications” in the Azure Portal.
You will need to add users or groups to the application you've just created. This indicated the users that are allowed to sign in with the Application
Optional: Access Groups
For Asset Visualization, if the deployment calls for SSO, it’s possible to limit access to given groups by adding the Group ID (Object ID) to theaccessGroups
in thessoConfig
section in customer config.
Also, if you intend to use group-based view access, then you need to do the following in order be able to give exclusive access to certain map view to specific user groups. For this to work you’ll need to add the Group claim.