# SAML

{% hint style="warning" %}
This article has been moved from its original location in the Admin Guide.
{% endhint %}

MangoApps supports SAML - an XML-based standard for web browser single sign-on (SSO). Using SAML end users can log into MangoApps using authentication from a single Identity Provider (IdP) such as Okta, ADFS, OneLogin to name a few, thereby eliminating the need of memorizing application-specific passwords.

<figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-Lclpq021Ai9jH1_X4gO%252F-Ls0MN9cSPAlbMYy96zF%252F-Ls0MYXThgofkvYDCLsd%252Fimage.png%3Falt%3Dmedia%26token%3D38dffb6a-cb2b-452d-b368-5c264a959ad8&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=f62926ff&#x26;sv=2" alt=""><figcaption></figcaption></figure>

1\. **Name**: The name of the configured SAML IDP (Identity Provider). The identity provider (IDP) is the authoritative site responsible for authenticating an end user and asserting MangoApps for the user.

2\. **Manage Settings**: Allows you to edit the existing configuration for the connection.

3\. **Configure User Mappings**: User mapping allows you to automatically populate the MangoApps User fields by syncing the details from your IDP.

4\. **Toggle Bar**: Click the **toggle bar** to enable/disable the connection.

5\. **Auto redirect setting**: Allows a Network Admin to enable auto redirect setting. This setting automatically redirects users to the IDP landing page when they visit MangoApps login page.

6\. **Add SSO Connection**: You can choose from a list of 13 out-of-the-box widely used applications for quick configuration. Additionally, you can add a custom SAML or OAuth2 application.

### Add SSO Connection <a href="#add-sso-connection" id="add-sso-connection"></a>

This section describes the steps to configure SSO for MangoApps using an IDP.

<figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-Lclpq021Ai9jH1_X4gO%252F-Ls0MN9cSPAlbMYy96zF%252F-Ls0OBMay3X1XPWrrcvq%252Fimage.png%3Falt%3Dmedia%26token%3D52e72a22-52fa-40d8-a7a7-42ff4b308319&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=3569077e&#x26;sv=2" alt=""><figcaption></figcaption></figure>

Log on to the MangoApps Admin portal. Click on SSO, then click on SAML (under Connections). Click ‘Add SSO Connection’.

1\. Select from a list of well-known IDPs.

2\. Confirm the Application label. You can edit the default label.

3\. (Optional) JIT is the ability to dynamically create user accounts for IDP authenticated users, when they access MangoApps for the first time. For ex - with a just-in-time provisioning solution in place, when John accesses Mango's website for the first time, the SAML-based federated single sign-on process automatically creates John Doe's account and grant access to his requested resources.

If a user becomes "Deactivated" or "Deleted" through your user management method while JIT is enabled and still authorized through your IDP. When the user logs in with SAML, the system will reactivate their account or create a new one.

4\. Use the IDP provided metadata URL/File to simplify the configuration process. The metadata prepopulates IDP information like: EntityID, Endpoints (Single Sign On Service Endpoint, Single Logout Service Endpoint), public X.509 cert, NameId Format. It can be read from URL or alternatively uploaded as a file.

5\. Choose ‘Configure manually’ if the IDP Metadata isn’t available.

<figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-Lclpq021Ai9jH1_X4gO%252F-Ls0MN9cSPAlbMYy96zF%252F-Ls0OtIf_wByPCFwfHNd%252Fimage.png%3Falt%3Dmedia%26token%3D4b0225d7-5369-4a10-ae2d-869fd10be324&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=42ea61b7&#x26;sv=2" alt=""><figcaption></figcaption></figure>

6\. Enter an Entity ID/Issuer URL from the IDP side. An entity ID is a globally unique name for a SAML entity.

7\. Copy the ACS URL and configure it on the IDP. ACS here is MangoApps (service provider's endpoint) URL that is responsible for receiving and parsing a SAML assertion.

8\. Enter the SSO URL from IDP to redirect users for Authentication requests.

9\. Enter a logout URL where users would be redirected after signing off from MangoApps.

10\. Select a ‘User Identifier’ as one of ‘Email’ or ‘samAccountName’ or ‘EmployeeID’

11\. Paste the x509 certificate from the IDP.

Your Identity Provider (IDP) may require an Audience URI (SP Entity ID). Below is an example of how to create that.

1\. If you are using a mangoapps shared cloud domain, the following is what you would enter: https\://(MangoappsSubDomain).mangopulse.com/saml

For example, if my site is <https://cableinc.mangoapps.com/> on the shared cloud, then my Audience URI will be <https://cableinc.mangopulse.com/saml>

2\. If your site is being hosted as a private cloud, then use the following format: https\://(MangoappsSubDomain).(Domain).com/saml

For example, if my site is <https://cableinc.companyco.com/> then my Audience URI will be <https://cableinc.companyco.com/saml>

***

### Vendor Walkthrough Videos <a href="#vendor-walkthrough-videos" id="vendor-walkthrough-videos"></a>

In the following videos, we will guide you through the integration setup of MangoApps with Azure Active Directory (AD) using Entra ID, incorporating Single Sign-On (SSO) with Security Assertion Markup Language (SAML) connections.

These videos will offer a step-by-step walkthrough of the System for Cross-domain Identity Management (SCIM) provisioning process. We aim to provide comprehensive guidance on each stage of the integration, ensuring a smooth and efficient setup. We will also tackle two common troubleshooting issues that may arise during the configuration process. Our goal is to address these challenges proactively in the event they should occur.

{% embed url="<https://mangoapps.wistia.com/medias/h8pby0876k>" %}

OKTA shared cloud, this video will review setting up OKTA as the IDP for a Mangoapps shared cloud where the domain URL is specifically set up as "Intranet name".mangoapps.com

{% embed url="<https://mangoapps.wistia.com/medias/g35w6q18ub>" %}
OKTA SAML Shared Cloud Setup
{% endembed %}

OKTA Private cloud, this video will Review setting up OKTA as the IDP for a Mangoapps private cloud domain or an On-premise setup. This is where the domain URL is anything.

{% embed url="<https://mangoapps.wistia.com/medias/9y9oukwusa>" %}
OKTA SAML Private cloud / On-premise
{% endembed %}

OneLogin Shared cloud, this video will review setting up OneLogin as the IDP for a Mangoapps shared cloud where the domain URL is specifically set up as "Intranet name".mangoapps.com

{% embed url="<https://mangoapps.wistia.com/medias/p7b6hvvhdz>" %}
OneLogin SAML Shared cloud
{% endembed %}

OneLogin Private cloud, this video will Review setting up OneLogin as the IDP for a Mangoapps private cloud domain or an On-premise setup. This is where the domain URL is anything.

{% embed url="<https://mangoapps.wistia.com/medias/zfthi99g8q>" %}
OneLogin SAML Private cloud
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://guides.mangoapps.com/integrations-guide/single-sign-on/general-protocol-setups/saml.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.