โš™๏ธOrganization settings

Organization settings

The organization settings contains the organisation details such as ID and name.

Details

This section allows you to edit the name of the organization. You can find the unique identifier for our organization.

Single sign-on (SSO)

Single Sign-On (SSO) is a form of authentication in which a user only needs to log in once to access multiple applications. This module makes it possible to integrate with any system that supports SSO via the SAML 2.0 protocol such as Active Directory or Okta.

For security reasons, this setting needs to be requested through support.

The configuration screen consists of several parts:

  • Settings for a user

    • Add new users to all projects within the organization

    • Enforce user roles via SSO

      • Metamaze roles will be overwritten with the highest provided AD role at every login request

      • Updating roles in user management will be disabled

    • Default role of each user (you can change the role in the user management after the first login of the user).

    • The default language of the software for the user. You can change this in the user management module or the user can change it himself in his or her profile.

  • Allowed domains (required)

    • Users belonging to the domains listed here will be redirected to your SSO flow.

    • You can still create new users with other domain names which will be able to log in using a username and password

  • Folders of user properties in Metamaze on the properties of your system. The properties you can map (add via 'add new attribute' button) are

    • first name

    • last name

    • language

    • email address

  • Service provider metadata (SP XML)

    • Copy the Metamaze metadata url to add to your SSO IDP (identity provider).

    • Paste your metadata into the text box

To configure your identify provider, you can use the following values

KeyValue

EntityId / Audience URL

https://app.metamaze.eu/gql/sso/metadata

ACS / Reply / SSO URL

https://app.metamaze.eu/gql/sso/authenticate/<organisationId>

Metadata XML

Click on "View metadata" button to download the correct XML.

Managing roles via SSO

To map Active Directory groups to Metamaze roles and override the default role that was configured in the settings, you can use the following attribute mappings

Metamaze role

AD Group

Admin

GR Metamaze_Admin, ou=Authorization Groups, ou=Groups

Manager

GR Metamaze_Manager, ou=Authorization Groups, ou=Groups

Operator

GR Metamaze_Operator, ou=Authorization Groups, ou=Groups

Validator

GR Metamaze_Validator, ou=Authorization Groups, ou=Groups

Labeler

GR Metamaze_Labeler, ou=Authorization Groups, ou=Groups

If multiple roles are provided in the request, the highest one will be taken based on the order in the table right above. Groups that don't match the AD Groups defined above will be ignored.

If no matching roles are provided in the request, the default role as configured will be used.

Roles provided by attribute mappings are only applied during account creation. After that, the roles are defined only in Metamaze and the SSO-provided roles are ignored.

Changing AD Groups for existing users will not change them in Metamaze. If you want to change the role of a user, you can do that in the corresponding user management section of the Metamaze settings.

Last updated