SAML Authentication
Mambu Process Orchestrator (MPO) supports Security Assertion Markup Language (SAML) authentication, which allows you to log into MPO using the login credentials of a third-party provider that supports SAML2. Currently, this feature is only available for dedicated environments.
This article is not a full discussion of SAML, but you can find links to more information about how SAML is implemented by commonly used Identity Providers (IdP) in the Additional documentation section. To enable SAML integration, you need to configure your IdP, download metadata about your configuration, and send it to your Customer Success Manager to complete the process in MPO.
Before you can log into MPO using your IdP’s account credentials, an MPO user with the same email address as in the identity provider needs to be created. For example, if you are using Google Workplace as your IdP, you need to have created a user in MPO with the same Google email address before logging into MPO for the first time. Once the account is created, the user will be able to authenticate with the configured SAML option. A user account cannot be automatically created in MPO by using the IdP account credentials only.
Creating a new SAML application
To integrate with a SAML solution you usually need access to the IdP’s administration area. You will be required to configure the following when creating a SAML application to integrate with MPO.
Service provider and name ID values
You will need to provide the following values when creating a SAML application.
| Field name | Description | Value |
|---|---|---|
ACS URL | An Assertion Consumer Service (ACS) is the endpoint where the IdP redirects to for authentication responses. The IdP identifier needs to be the same as the one used below. | https://TENANT_NAME.mpo.mambu.com/ auth2/saml/customer_sso/return |
IdP Identifier | A string identifier used to provide a name for the IdP SAML application. We recommend not using special characters for the name. | We recommend using customer_sso. If you need to use another IdP Identifier string, please contact us. |
Entity ID | A unique ID to identify the IdP. | customer_sso.TENANT_NAME |
Name ID format | Defines the format accepted for name identifiers. | Email |
Name ID | This specifies the mapping between the Name ID format attribute and the MPO user profile attribute. | Email |
You will need separate SAML applications for sandbox and production, as each ACS URL redirects back to the target MPO environment.
Attribute mapping
In the Attribute Mapping configuration section, create the following mappings:
- Map Basic Information > First name to the App attribute
first_name. - Map Basic Information > Last name to the App attribute
last_name.
User roles and rights are managed in MPO. You cannot assign roles to users in your IdP.
Signing options
Your IdP may allow you to enable signatures for several items. If assertions signing is not enabled, please enable it. Do not enable signing for any other parameter. If your security policy requires other SAML items to be signed - for example, requests and responses - please contact your Customer Success Manager.
User access
Once the application has been created, you will need to grant access to groups and users to the SAML application. These settings are usually found in the administration area of your IdP.
For example, if you are using Google Workplace as an IdP and you want to enable SAML authentication for groups, see Use groups to customize service access.
Download XML metadata
At the end of the process, download the SAML metadata as an XML file. Provide this file to your Customer Success Manager so that we can configure MPO. You may send this information by plain or secure email.
If SAML authentication is enabled, authenticating with passwords will still work for existing users. After SAML authentication is enabled, all newly created users will only be able to authenticate via SAML.
Additional documentation
For more information on setting up a SAML application, we recommend consulting the documentation of your preferred IdP. For more information on Google Workplace, see Set up your own custom SAML application. For more information on One Login, see Getting started with SAML.