Configuring SAML Single Sign-On – Kantata Knowledge Base

Overview

With SAML Single Sign-on (SSO) authentication, Mavenlink customers can manage the access of their users to different systems and accounts from a central system. Identity management systems, also called Identity Providers, enable users to authenticate automatically and securely and eliminate the need for your account members to remember their Mavenlink passwords.

What is SAML?

Security Assertion Markup Language (SAML) is an open standard for authentication between an Identity Provider and a Service Provider. OKTA, OneLogin, and Active Directory Federation Services are all examples of Identity Providers, and Mavenlink is a Service Provider. Using SAML, organizations can configure browser-based SSO authentication.

SAML Support in Mavenlink

Mavenlink currently supports the ability to authenticate SSO users through a SAML Identity Provider, including:

Authenticating into Mavenlink through the SAML Identity Provider's dashboard
Responding to log-out signals to terminate the Mavenlink session
Restricting authentication to SAML users only (Strict SSO) at the account level

Availability and Access

SSO using SAML is available for Enterprise plans that meet the minimum user license requirement. You must have custom branding enabled to enable SSO. Specifically, a custom domain (such as yourdomain.mavenlink.com) is required for an SSO URL.

Please reach out to Customer Success or the Support team for more information.

How to Enable SAML in Mavenlink

Note: You must be an Account Administrator to enable SAML SSO.

In the left navigation, hover over Settings, then select Security.

From your Identity Provider, such as Okta, OneLogin or Active Directory Federation Services, you’ll need to gather the following information:

Identity Provider SSO URL — The Identity Provider's login URL that Mavenlink redirects your account members to. This varies with each Identity Provider.
- In OKTA, this is called the Identity Provider SSO URL, or the Postback URL.
- In OneLogin, this is called the SAML 2.0 Endpoint, or sometimes the SAML SSO URL.
- In Active Directory Federation Services, the Relaying party identifier.
- For Google SAML, the URL can be found by opening the Google Apps menu in the top right corner of the browser, right-clicking on the Mavenlink app, and copying the link address.
Issuer — This is a unique identifier for your identity provider. In some cases, this is called the entity id. This will typically be a URL.
X.509 Certificate — This is a public key for your SAML configuration and should start with
-----BEGIN CERTIFICATE-----

In addition to these fields, there are a few optional, but recommended fields for your Single Sign On experience in Mavenlink:

Email Domain — This will be used to identify individuals who are not yet on your Mavenlink account. When such individuals are identified, we will instruct them to contact their Account Administrator to invite them to your Mavenlink account.
Identity Provider Name — This is used on our login page to prompt users to login through their Identity Provider.
Logout URL — If specified, this will redirect the user to a URL of your choice after they log out of the Mavenlink system. This is often used to redirect to a central SAML logout to sign the user out of all SAML-connected applications. Alternatively, this could be used to take the user back to the SSO homepage.You can also choose whether to restrict login access to Mavenlink to only your Identity Provider. Selecting this option enforces that all members on your account must authenticate through your SAML 2.0 Identity Provider.

In order for Mavenlink to communicate back to your Identity Provider, you’ll need to enter in your Relaying Party SAML 2.0 SSO Service URL such as https://yourdomain.mavenlink.com/saml/consume into all of the following fields:

Okta: Single Sign On URL, Recipient URL, Destination URL, Audience Restriction Audience URI (SP Entity ID)
OneLogin: SAML Consumer URL, SAML Audience, SAML Recipient

For successful SAML SSO configuration, make sure to verify the following:

Account emails in Mavenlink match the email set per each user in the Identity Provider
Your Name ID format within the Identity Provider is set to email address

Troubleshooting

This section outlines some of the most common issues encountered by users with SAML SSO.

Unknown User
SAML is not supported at this account level
No error message. Users are just redirected to the login page and cannot log in
Failed SAML login
Invalid signature on SAML response
You have been logged out

Common Exceptions

`User not found`
Potential Cause	Recommended Resolution
The `NameID` in the SAML response is incorrect.	Check the `NameID` provided in the SAML response and compare with the expected user email address in Mavenlink. If it is incorrect, correct the email address in Mavenlink, or in the request.
There is no Mavenlink user account with the provided `NameID`.	If the `NameID` email is correct, but there is no Mavenlink user with that email address, then the user needs to be provisioned in Mavenlink before they can log in.

`SAML is not supported at this account level`
Potential Cause	Recommended Resolution
SAML is only supported for Enterprise accounts. The user may not be in the correct account. They may be in a personal free account, or a trial/test account.	Ensure that the user is in the correct Mavenlink account.

No error message; user is just redirected to the login page, but cannot log in.
Potential Cause	Recommended Resolution
Mismatched X.509 certificate data in Mavenlink settings	Re-upload the X.509 Certificate data to Mavenlink settings
No `NameID` provided	Fix the assertion claim in the Identity Provider’s setup to send the email address as the `NameID` assertion.
User not authorized to use SSO trust with Mavenlink	Settings > Security > Single Sign-On to match the `<issuer>` from the response.
The SAML response token is encrypted	Disable token encryption on the Identity Provider setup for the Mavenlink SSO trust/app.

`Invalid SAML response. Details: Doesn't match the issuer, expected:<issuer URL in Mavenlink>, but was: <issuer URL from Identity Provider>`
Potential Cause	Recommended Resolution
Incorrect `<ISSUER>` in SAML response.	Update the Identity Provider Entity ID / Issuer Url in Mavenlink

`Invalid signature on SAML response`
Potential Cause	Recommended Resolution
The public X.509 Certificate in your SAML settings does not match the X.509 Certificate in the assertion that your server is sending to Mavenlink.	A Mavenlink Account Administrator needs to re-upload the X.509 Certificate data to Mavenlink settings.

You have been logged out.

Potential Cause Recommended Resolution

Something is not correct in the Identity Provider setup, most likely the ACS address.
ACS refers to Assertion Consumer Service. This URL is an endpoint on the service provider (Mavenlink) where the identity provider will redirect to with its authentication response. This is also known as the Service Provider Single Sign-On URL.
The ACS URL is case sensitive and must be typed exactly as it appears in Mavenlink > Settings > Security > Single Sign-On
e.g. https://subdomain.mavenlink.com/saml/consume Update the ACS URL on the Identity Provider setup.

If you need further assistance with setting up SAML SSO or have any questions, please contact Support.