Configuring SAML 2.0

Follow this guide to use SAML 2.0 SSO to connect to Mursion

Configuring SAML 2.0 

Introduction

This guide provides information on how to configure integration between Mursion and a SAML 2.0 Identity Provider (IdP). This is only available for Account Owners.

Supported Features

The Mursion SAML 2.0 integration currently supports the following features:

  • SP-initiated SSO
  • JIT (Just In Time) Provisioning

Add SSO in the Portal

  1. Sign in to Mursion Portal
  2. Select Settings
  3. Select SSO
  4. Click Create SSO Configuration
  5. On the New SSO Configuration dialog, enter the following:
    1. Protocol: Select SAML 2.0.
    2. Configuration Name: Enter a descriptive name of your choice.
    3. Single Sign-On Service Endpoint: Enter or copy and paste the Identity Provider Single Sign-On/Login URL. 
    4. Logout Endpoint: Enter or copy and paste the Identity Provider Logout URL.
    5. Entity ID: Enter or copy and paste the Identity Provider Issuer.
    6. X.509 Certificate: Copy and paste the PEM formatted text of the IdP Signing certificate that will be used to verify SAML responses.  Make sure to include the -----BEGIN CERTIFICATE----- header and
    7. -----END CERTIFICATE----- footer.
    8. Email Claim Name: Enter email.
    9. First Name Claim Name: Enter firstName.
    10. Last Name Claim Name: Enter lastName.
    11. Single Logout Enabled: Optionally, check this option to initiate a request to end the Okta user’s session when the user’s Mursion Portal session ends due to explicit logout or session timeout. 
    12. Team Claim Name: Optionally, to externally manage team assignment through a SAML user attribute, specify the name of the attribute that contains the value that should be used to assign users to a Mursion Portal team.
    13. Team Mapping: If a Team Clain Name is specified, click the Add + button to add a mapping. Select a Mursion Portal team from the Team drop down. Enter the value of the attribute that should be mapped to the Portal team. To remove a mapping, click the x on the right of the mapping.
  6. Click Create SSO Configuration.
  7. Click the newly created SSO Configuration.
  8. On the Edit SSO Configuration dialog, 
    1. Click Download  SP Metadata. Save the metadata XML file.
    2. Click to copy the SP Initiated SSO URL. Save the URL to be used in a subsequent step to test the SSO configuration.

Identity Provider (IdP)

  1. In the IdP, add a new application or configuration.
  2. If the IdP supports configuration by uploading Service Provider metadata, upload the metadata XML file that was downloaded from Mursion Portal. If the IdP does not support configuration by uploading Service Provider metadata, use the information in the metadata XML file that was downloaded from Mursion Portal to configure appropriate Service Provider related fields (Assertion Consumer Service URL, etc).
  3. Mursion Portal only supports SP Initiated login process and sends authentication requests (AuthnRequest) to IdPs by HTTP Redirect. Set the appropriate configuration in the IdP for these items.
  4. Set the appropriate configuration for the Subject/User related configuration:
    1. Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    2. Subject/User ID Profile Field: Select user’s email address or other unique identifier
  5. Set the SP Login URL to the SP Initiated SSO URL that was copied from Mursion Portal in step 7 above.
  6. Add  the following SAML attributes: 
    1. Attribute Name: email Attribute Value: User’s email address
    2. Attribute Name: firstName Attribute Value: User’s first name
    3. Attribute Name: lastName Attribute Value: User’s last name

Signing in to Mursion Portal through SSO

  1. Once the configuration in the IdP and Mursion Portal is completed, click on the application or tile in the IdP to initiate the SP Initiated login process.
  2. If the IdP does not have a clickable application or tile, simply copy and paste the SP Initiated SSO URL (from step 8 of the Add SSO in the Portal section above) in a browser to sign in to Mursion Portal through SSO.