Instructions for setting up SAML 2.0 SSO Integration with MazeMap

MazeMap supports Single Sign On (SSO) for increased security in accessing maps. With SSO, MazeMap Views can be secured for only signed-in-user access. At the moment, we support only the SAML Identity Provider the web app. Below is the procedure for enabling SSO with SAML. MazeMap supports SAML 2.0

Information to provide to MazeMap

In order to configure SAML 2.0 with MazeMap, you need to provide MazeMap with:

• Your IDPs Metadata as either

  • URL: This is the public url where the metadata for your IDP can be found. For example the IDP metadata for SurfNet can be found at https://metadata.surfconext.nl/idp-metadata.xml

  • XML File

• Please send the URL or XML file to your Customer Success Manager

Configuring your IdP

You'll need to configure your IdP to enable federation.

MazeMap will provide you with a CUSTOMER_ID for each domain that requires federation. Please ask your CSM to confirm the Customer ID.

• Assertion Customer Service (ACS) Endpoint: https://auth.mazemap.com/saml2/{CUSTOMER_ID}/callback?client_name={CUSTOMER_ID}SAML2

The endpoint where MazeMap’s Service will receive SAML assertions issued by the Identity Provider

• Service Provider Entity Id : https://auth.mazemap.com/saml2/{CUSTOMER_ID}. This is a unique ID that identifies MazeMap’s service in the Identity Provider.

Accessing the service

After configuration, your maps can be accessed by going to https://use.mazemap.com?campusid={CAMPUS_ID} and using the SSO login menu.

USING OFFICE 365 AS YOUR IDENTITY PROVIDER (IDP)

Find instructions below on how to use Office365 as your IDP. 

1. Create an Azure Active Directory Enterprise application. Login to your AAD Account

   1. Click on Enterprise applications

   2. Click on New application then Create your own application

1. Enter your desired name for your application

2.  Under Getting Started, select Set up single sign on then select SAML

3. Consult the information you received from MazeMap. Given your CUSTOMER_ID fill in the following fields

   1. Identifier (Entity ID): https://auth.mazemap.com/saml2/{CUSTOMER_ID}

   2. Reply URL (Assertion Consumer Service URL): https://auth.mazemap.com/saml2/{CUSTOMER_ID}/callback?client_name={CUSTOMER_ID}SAML2

   3. Logout Url (Optional): https://auth.mazemap.com/saml2/{CUSTOMER_ID}/logout
      Note however that if this url is not set, users will not be redirected back to mazemap after single logout process.
      

4. Send the metadata url in the field App Federation Metadata Url to MazeMap
   

Relay State: Set this value to the url you want to be redirected to after you test the integration with the IDP-initiated Request. For the config in the image above, one will redirect to https://use.mazemap.com after a successful integration test.

5. Please send the Application ID to the CSM assigned to the project, as that needs to be included in the configuration on MazeMap’s end. In order to collect the Application ID, click on the MazeMap SSO in the list of applications under “Enterprise Applications” in the Azure Portal.

6. You will need to add users or groups to the application you've just created. This indicated the users that are allowed to sign in with the Application

7. Optional: Access Groups
   For Asset Visualization, if the deployment calls for SSO, it’s possible to limit access to given groups by adding the Group ID (Object ID) to the accessGroups in the ssoConfig section in customer config.
   Also, if you intend to use group-based view access, then you need to do the following in order be able to give exclusive access to certain map view to specific user groups. For this to work you’ll need to add the Group claim.