SAML
Setting up SAML based SSO integration
Last updated
MangoApps Administrators Guide
Setting up SAML based SSO integration
Last updated
MangoApps supports SAML - an XML-based standard for web browser single sign-on (SSO). Using SAML end users can log into MangoApps using authentication from a single Identity Provider (IdP) such as Okta, ADFS, OneLogin to name a few, thereby eliminating the need of memorizing application-specific passwords.
1. Name: The name of the configured SAML IDP (Identity Provider). The identity provider (IDP) is the authoritative site responsible for authenticating an end user and asserting MangoApps for the user.
2. Manage Settings: Allows you to edit the existing configuration for the connection.
3. Configure User Mappings: User mapping allows you to automatically populate the MangoApps User fields by syncing the details from your IDP.
4. Toggle Bar: Click the toggle bar to enable/disable the connection.
5. Auto redirect setting: Allows a Network Admin to enable auto redirect setting. This setting automatically redirects users to the IDP landing page when they visit MangoApps login page.
6. Add SSO Connection: You can choose from a list of 13 out-of-the-box widely used applications for quick configuration. Additionally, you can add a custom SAML or OAuth2 application.
This section describes the steps to configure SSO for MangoApps using an IDP.
Log on to the MangoApps Admin portal. Click on SSO, then click on SAML (under Connections). Click ‘Add SSO Connection’.
1. Select from a list of well-known IDPs.
2. Confirm the Application label. You can edit the default label.
3. (Optional) JIT is the ability to dynamically create user accounts for IDP authenticated users, when they access MangoApps for the first time. For ex - with a just-in-time provisioning solution in place, when John accesses Mango's website for the first time, the SAML-based federated single sign-on process automatically creates John Doe's account and grant access to his requested resources.
If a user becomes "Deactivated" or "Deleted" through your user management method while JIT is enabled and still authorized through your IDP. When the user logs in with SAML, the system will reactivate their account or create a new one.
4. Use the IDP provided metadata URL/File to simplify the configuration process. The metadata prepopulates IDP information like: EntityID, Endpoints (Single Sign On Service Endpoint, Single Logout Service Endpoint), public X.509 cert, NameId Format. It can be read from URL or alternatively uploaded as a file.
5. Choose ‘Configure manually’ if the IDP Metadata isn’t available.
6. Enter an Entity ID/Issuer URL from the IDP side. An entity ID is a globally unique name for a SAML entity.
7. Copy the ACS URL and configure it on the IDP. ACS here is MangoApps (service provider's endpoint) URL that is responsible for receiving and parsing a SAML assertion.
8. Enter the SSO URL from IDP to redirect users for Authentication requests.
9. Enter a logout URL where users would be redirected after signing off from MangoApps.
10. Select a ‘User Identifier’ as one of ‘Email’ or ‘samAccountName’ or ‘EmployeeID’
11. Paste the x509 certificate from the IDP.
Your Identity Provider (IDP) may require an Audience URI (SP Entity ID). Below is an example of how to create that.
1. If you are using a mangoapps shared cloud domain, the following is what you would enter: https://(MangoappsSubDomain).mangopulse.com/saml
For example, if my site is https://cableinc.mangoapps.com/ on the shared cloud, then my Audience URI will be https://cableinc.mangopulse.com/saml
2. If your site is being hosted as a private cloud, then use the following format: https://(MangoappsSubDomain).(Domain).com/saml
For example, if my site is https://cableinc.companyco.com/ then my Audience URI will be https://cableinc.companyco.com/saml
In the following videos, we will guide you through the integration setup of MangoApps with Azure Active Directory (AD) using Entra ID, incorporating Single Sign-On (SSO) with Security Assertion Markup Language (SAML) connections.
These videos will offer a step-by-step walkthrough of the System for Cross-domain Identity Management (SCIM) provisioning process. We aim to provide comprehensive guidance on each stage of the integration, ensuring a smooth and efficient setup. We will also tackle two common troubleshooting issues that may arise during the configuration process. Our goal is to address these challenges proactively in the event they should occur.
OKTA shared cloud, this video will review setting up OKTA as the IDP for a Mangoapps shared cloud where the domain URL is specifically set up as "Intranet name".mangoapps.com
OKTA Private cloud, this video will Review setting up OKTA as the IDP for a Mangoapps private cloud domain or an On-premise setup. This is where the domain URL is anything.
OneLogin Shared cloud, this video will review setting up OneLogin as the IDP for a Mangoapps shared cloud where the domain URL is specifically set up as "Intranet name".mangoapps.com
OneLogin Private cloud, this video will Review setting up OneLogin as the IDP for a Mangoapps private cloud domain or an On-premise setup. This is where the domain URL is anything.
