Integrating an SSO provider with your Mursion Account

Before You Begin

Choosing a connection method is a technical decision as well as an administrative decision. We recommend reviewing SSO options with your IT Team to understand what’s possible and what structures you may already have in place to facilitate these integrations.

We recommend creating any new SSO integration in our Staging environment first, so you can test to make sure everything works properly. Once you've created the configuration in staging, you can duplicate that process in the live portal environment. We recommend doing this before your expected start date or during a time when Mursion sessions are not occurring.

 

If you do not have an account for our Staging environment, contact your Client Success Manager or Implementation Associate for assistance.

What we support

  1. Mursion supports SAML 2.0 and OAuth 2.0. Click the links below for our configuration guides. 
  2. Mursion supports manual account provisioning and/or Just-in-time user account provisioning and team assignment
  3. Mursion supports Single Logout via HTTPS redirection

What you will need:

  1. An Account Owner role for the Mursion Portal and our Staging Environment
  2. Administrator access to your Identity Provider (IDP)
  3. Mursion requires the following user attributes to be provided through SSO (you can add more, but this is the base requirement):
    1. User’s email
    2. User’s first name
    3. User’s last name (Mursion recommends using the user’s email as the SSO unique identifier.)
  4. We have a pre-configured Okta configuration available in the Okta Integration Library, but all other IDPs will require manual configurations within your IDP. 

Thinking about Teams

A team is a group of users from your organization that will be assigned to the same training scenarios. All learners must be assigned to a team in order to attend Mursion sessions. 

For example, everyone in your Human Resources department might be assigned to interview training sessions. You would create a Human Resources team to easily assign all Human Resources employees to their training scenarios. Learn more about possible team structures  here.

The Account Owner will need to consider how to structure their users into teams. Before getting started, it is recommended that the team leading the Mursion implementation at your organization decide how they will be utilizing teams within Mursion and if there is a field within your IDP that can map to the various teams a user may be assigned to within Mursion.

Note that Teams must be created within Mursion before enabling Team Mapping.

Click here for more information about Teams and Portal Structure 

If your users are already using Mursion:

  • We recommend enabling SSO during a time when Mursion sessions will not be occurring to prevent learners from being unable to log in and launch their sessions. 
  • It is recommended to take advantage of Mursion’s staging environment to test out the configuration before implementing SSO in production. 

SSO Configuration Process Flow

  1. Configure the SSO in the Mursion Testing Environment
    1. Configuring SAML 2.0 with an IdP
    2. Configuring SAML 2.0 with Okta
    3. Configuring SAML 2.0 with Microsoft Azure
    4. Configuring OpenID Connect with Okta
  2. Create Teams in the Mursion Portal
  3. Decide how you will provision users
    1. Mursion allows for manually added and mapped users or Just-in-time account provisioning. 
    2. To access Mursion content, users must be assigned to teams. Mursion supports team mapping through SAML integrations but requires a claim name (see section below) that can be mapped to the team assignments within Mursion. You may also add teams manually if team mapping does not fit your organization’s SSO structure.
  4. Test your SSO Configuration
  5. If the test is successful, implement the SSO in Mursion Portal

A Note About Claim Fields

When you add information to the Mursion portal, the required fields are marked with an asterisk. Note that the more fields you complete, the better and more detailed analytics you'll be able to see. 

In the future, we'll be adding more features that leverage these fields for reporting and user engagement. If you can, we highly encourage completing all fields. 

Converting Existing Users to SSO 

If you're a client who is adding SSO to your account and you already have accounts created for your learners, you can easily convert those users to SSO. Your existing users will never lose access to their account or lose any of their Mursion data.

Using the SP-initiated URL

Users that have previously signed in with a password will automatically be converted to SSO users when signing in via the SP-Initiated URL. 

Locating your SP-Initiated URL

  1. Click Settings
  2. Under SSO click your SSO configuration
  3. Click the copy icon next to the SP-Initiated URL
  4. Users should be provided the SP-Initiated URL and they will be converted to SSO users when they sign in via this URL

 


Testing your SSO Configuration

Testing your SSO Configuration with a Manually Added User Account

  1. Create a user account in the Mursion portal. The SSO ID of that user should align with the NameID configured in the SSO settings.
  2. Once created, navigate to portal.mursion.com 
  3. Enter the email address associated with that user 
  4. Click Next 
  5. Clicking next should take you to your IDP login page 
  6. Login through your IDP 
  7. This should authenticate your Mursion portal account
  8. If you enabled Team Mapping, and the user has an appropriate team claim name, this account should be assigned to the appropriate teams 

Testing your SSO Configuration with ‘Just-in-time’ Provisioning

  1. Log into your IDP with a user who has not yet been created in Mursion.
  2. Click the Mursion launch link created within your IDP. 
    1. If your IDP did not create a Mursion launch link, then you can reference the SP-initiated link from the Mursion metadata directly. 
  3. A user account should be created with an appropriate first name, last name, email address, and SSO ID. 
    1. If you enabled Team Mapping and the user has an appropriate team claim name, any teams should automatically be assigned as well. 

 




Troubleshooting Your SSO Configuration

 

SSO Provider

Error

Solution

All

404 Error

The SP link is not correct 

All

When a learner tries to log in, they see: “You’re not authorized to access Mursion”

This learner is not added to your IDP, but was added to your Mursion account. Add the learner’s information to the IDP.

SAML

403 Error

Confirm the following:

  1. The x509 certificate is formatted correctly in the SSO Configuration
  2. The single sign-on certificate is correct in the SSO Configuration
  3. The claim names are accurate

All

Duplicate user accounts are created instead of linking to manually-created accounts

Confirm the following:

  1. The email address on the Mursion account matches the email address in the IDP
  2. The SSO ID on the Mursion account matches the SSO NameID


If these steps do not resolve your issue, or if you have an issue not listed here, please contact  integrations@mursion.com