Overview
With SAML Single Sign-on (SSO) authentication, Mavenlink customers can manage the access of their users to different systems and accounts from a central system. Identity management systems, also called Identity Providers, enable users to authenticate automatically and securely and eliminate the need for your account members to remember their Mavenlink passwords.
What is SAML?
Security Assertion Markup Language (SAML) is an open standard for authentication between an Identity Provider and a Service Provider. OKTA, OneLogin, and Active Directory Federation Services are all examples of Identity Providers, and Mavenlink is a Service Provider. Using SAML, organizations can configure browser-based SSO authentication.
SAML Support in Mavenlink
Mavenlink currently supports the ability to authenticate SSO users through a SAML Identity Provider, including:
- Authenticating into Mavenlink through the SAML Identity Provider's dashboard
- Responding to log-out signals to terminate the Mavenlink session
- Restricting authentication to SAML users only (Strict SSO) at the account level
Availability and Access
SSO using SAML is available for Enterprise plans that meet the minimum user license requirement. You must have custom branding enabled to enable SSO. Specifically, a custom domain (such as yourdomain.mavenlink.com
) is required for an SSO URL.
Please reach out to Customer Success or the Support team for more information.
How to Enable SAML in Mavenlink
In the left navigation, hover over Settings, then select Security.
From your Identity Provider, such as Okta, OneLogin or Active Directory Federation Services, you’ll need to gather the following information:
-
Identity Provider SSO URL — The Identity Provider's login URL that Mavenlink redirects your account members to. This varies with each Identity Provider.
- In OKTA, this is called the Identity Provider SSO URL, or the Postback URL.
- In OneLogin, this is called the SAML 2.0 Endpoint, or sometimes the SAML SSO URL.
- In Active Directory Federation Services, the Relaying party identifier.
- For Google SAML, the URL can be found by opening the Google Apps menu in the top right corner of the browser, right-clicking on the Mavenlink app, and copying the link address.
- Issuer — This is a unique identifier for your identity provider. In some cases, this is called the entity id. This will typically be a URL.
-
X.509 Certificate — This is a public key for your SAML configuration and should start with
-----BEGIN CERTIFICATE-----
In addition to these fields, there are a few optional, but recommended fields for your Single Sign On experience in Mavenlink:
- Email Domain — This will be used to identify individuals who are not yet on your Mavenlink account. When such individuals are identified, we will instruct them to contact their Account Administrator to invite them to your Mavenlink account.
- Identity Provider Name — This is used on our login page to prompt users to login through their Identity Provider.
- Logout URL — If specified, this will redirect the user to a URL of your choice after they log out of the Mavenlink system. This is often used to redirect to a central SAML logout to sign the user out of all SAML-connected applications. Alternatively, this could be used to take the user back to the SSO homepage.You can also choose whether to restrict login access to Mavenlink to only your Identity Provider. Selecting this option enforces that all members on your account must authenticate through your SAML 2.0 Identity Provider.
In order for Mavenlink to communicate back to your Identity Provider, you’ll need to enter in your Relaying Party SAML 2.0 SSO Service URL such as https://yourdomain.mavenlink.com/saml/consume into all of the following fields:
- Okta: Single Sign On URL, Recipient URL, Destination URL, Audience Restriction Audience URI (SP Entity ID)
- OneLogin: SAML Consumer URL, SAML Audience, SAML Recipient
For successful SAML SSO configuration, make sure to verify the following:
- Account emails in Mavenlink match the email set per each user in the Identity Provider
- Your Name ID format within the Identity Provider is set to email address
Troubleshooting
This section outlines some of the most common issues encountered by users with SAML SSO.
- Unknown User
- SAML is not supported at this account level
- No error message. Users are just redirected to the login page and cannot log in
- Failed SAML login
- Invalid signature on SAML response
- You have been logged out
Common Exceptions
If you need further assistance with setting up SAML SSO or have any questions, please contact Support.