How to Setup SAML SSO Login

info

You'll need a SAML 2.0 identity provider server set up before you can follow this guide.

To setup an SSO SAML login for our Client Dashboard, you'll need to:

1. Create a SAML SSO application in your identity provider (IDP).
2. Create and assign users to your SAML SSO application in your IDP. Users must have the following attributes:
   • First name
   • Last name
   • Email
3. Contact MX for your Client ID attribute. You'll set this value in your IDP later.
4. Send MX the following:
   • A valid x.509 certificate used to verify the SAML responses you send. We’ll also accept an XML configuration file.
   • The certificate fingerprint.
   • The certificate fingerprint algorithm.
5. Configure your SAML SSO application in your IDP:
   • Set Entity ID to https://dashboard.mx.com/saml/sp
   • Set Reply URL (Assertion Consumer Services URL) to https://dashboard.mx.com/saml (this value may defer if you're testing in a different environment).
   • Set Relay URL to https://dashboard.mx.com/ (this value may defer if you're testing in a different environment).
   • Set Client ID to the value sent by MX.
   • See Attributes for a list of all attributes, their supported formats, and descriptions.

Attributes

Use the following attributes when configuring your SAML SSO application in your IDP.

Attribute Name	Supported Attribute Formats	Description
Client Id	client_id, clientId, ClientId, Client ID	This is needed so we can identify and then verify your association to the user attempting to sign in. It's required to be passed in through the SAML response itself.
Email	mail, email, email_address, emailAddress, EmailAddress, Email Address	The user's email address.
First Name	first_name, firstName, FirstName, First Name	The user's first name.
Last Name	last_name, lastName, LastName, Last Name	The user's last name.
NameID	nameid	We use an unspecified format for NameId. Set this value to the external_guid of the analytics user attempting to sign in. The NameId field set on the SAML response will be used as that user's external guid and from then on will be used to identify the user in subsequent sign ins. This attribute must be passed with the Subject nodes of the SAML response.

Just In Time Users

Users can sign in to Client Dashboard without an existing log in if they have first name, last name, and email attributes that associate them to your institution. These are known as just in time users. By default, just in time users can view the User lookup, API keys and whitelisting, Webhooks, and OAuth screens. To let a just in time user view more than these screens, you'll need someone with the admin role to set those additional permissions.