SAML Authentication

Mambu Process Orchestrator (MPO) supports Security Assertion Markup Language (SAML) authentication, which allows you to log into MPO using the login credentials of a third-party provider that supports SAML2. Currently, this feature is only available for dedicated environments.

This article is not a full discussion of SAML, but you can find links to more information about how SAML is implemented by commonly used Identity Providers (IdP) in the Additional documentation section. To enable SAML integration, you need to configure your IdP, download metadata about your configuration, and send it to your Customer Success Manager to complete the process in MPO.

Creating a new SAML application

To integrate with a SAML solution you usually need access to the IdP’s administration area. You will be required to configure the following when creating a SAML application to integrate with MPO.

Service provider and name ID values

You will need to provide the following values when creating a SAML application.

Field nameDescriptionValue
ACS URLAn Assertion Consumer Service (ACS) is the endpoint where the IdP redirects to for authentication responses. The IdP identifier needs to be the same as the one used below.https://TENANT_NAME.mpo.mambu.com/ auth2/saml/customer_sso/return
IdP IdentifierA string identifier used to provide a name for the IdP SAML application. We recommend not using special characters for the name.We recommend using customer_sso. If you need to use another IdP Identifier string, please contact us.
Entity IDA unique ID to identify the IdP.customer_sso.TENANT_NAME
Name ID formatDefines the format accepted for name identifiers.Email
Name IDThis specifies the mapping between the Name ID format attribute and the MPO user profile attribute.Email

Attribute mapping

In the Attribute Mapping configuration section, create the following mappings:

  • Map Basic Information > First name to the App attribute first_name.
  • Map Basic Information > Last name to the App attribute last_name.

User roles and rights are managed in MPO. You cannot assign roles to users in your IdP.

Signing options

Your IdP may allow you to enable signatures for several items. If assertions signing is not enabled, please enable it. Do not enable signing for any other parameter. If your security policy requires other SAML items to be signed - for example, requests and responses - please contact your Customer Success Manager.

User access

Once the application has been created, you will need to grant access to groups and users to the SAML application. These settings are usually found in the administration area of your IdP.

For example, if you are using Google Workplace as an IdP and you want to enable SAML authentication for groups, see Use groups to customize service access.

Download XML metadata

At the end of the process, download the SAML metadata as an XML file. Provide this file to your Customer Success Manager so that we can configure MPO. You may send this information by plain or secure email.

Additional documentation

For more information on setting up a SAML application, we recommend consulting the documentation of your preferred IdP. For more information on Google Workplace, see Set up your own custom SAML application. For more information on One Login, see Getting started with SAML.