We support SSO through Okta, Onelogin, Azure, and Google. Additional SSO's using open SSO protocols may also be supported. Please reach out to your Technical Account Manager if you are interested in using an SSO not listed here.
All Matik users added through the SCIM integration will be added as end users. To increase user permissions to Admin or Producer Admin, first add them as an end user via your SSO. Then grant them Admin and Producer Admin roles via Enterprise Settings within the Matik app.
SSO Setup
Click on your user button in the top right of Matik > Enterprise Settings and scroll down to the SSO section. Select your identity provider from the "Use (SSO) as an identity provider" checkboxes, then input the SAML Metadata URL and your email domain. Click "Update" on the bottom right of the screen.
Click below for provider specific SSO instructions:
When you enable SSO, we disable the option to log in with a password for everyone in the account except users with the producer admin role in Matik.
If needed for implementation the following URL's can be used for SSO setup:
- Single Sign-on URL: https://app.matik.io/_api/auth/sso/okta/
- Audience Restriction: https://app.matik.io/_api/auth/sso/
- Recipient and Destination URL: https://app.matik.io/_api/auth/sso/okta/
- SCIM Base URL: https://app.matik.io/_api/scim/
SSO Setup (Okta)
To setup the integration with Okta and Matik you need to have SuperAdmin or equivalent permissions in Okta and Producer Admin permissions in Matik.
To get Started go to Matik's Application page in Okta (Admin Console > Applications > Matik) and click on "Add Integration"
On the Matik Application page, Copy the Metadata URL
In Matik, navigate to enterprise settings > SSO.
Select the "Use Single Sign On" in the right of the SSO section. Select the "Use Okta as an identify provider". Enter the SAML Metadata URL value you copied from Okta and your organization's domain. Click on Update in the bottom right corner to save.
At this point, Okta is integrated with Matik, however, provisioning is not enabled so you will not be able to add users to Matik from Okta directly. Configuring provisioning is optional. If you do not want to configure, skip to the Adding Users to Okta without Provisioning section below.
To configure Provisioning, click on the Provisioning tab on the Matik application page in Okta.
Click on the Enable API integration checkbox. Enter the Matik Username and Password of the Matik Producer Admin you wish to use to provision Matik accounts. Click Save.
On the next page under "Provisioning to App" > To App, Select Create Users, and Deactivate Users. Click Save. Note that by default Attribute Mappings should be pre-configured and do not need to be changed unless your organizations custom configuration requires it.
Managing Users in Okta with Provisioning
Once configured, to add users by going to the Matik Application within Okta > Assignments.
Click on Assign and either Assign to People for an individual or Assign to Groups to bulk assign to an Okta group. When an Okta user is assigned to Matik, they will automatically be created a Matik account and will only be able to sign into Matik with Okta.
Accounts provisioned via Okta will be created with the End User role in Matik. Assigning additional roles through Okta is not supported. To grant additional roles, sign into the Matik app as a Producer Admin after provisioning in Okta, and manually update the required roles in Enterprise Settings (Top right Menu > Enterprise Settings > Users).
When you remove access to Matik via Okta, the corresponding user will be set to status = Inactive in the Matik app. They will no longer be able to access Matik, and will not count against any seat limits.
Adding Users to Okta without Provisioning
If provisioning isn't supported in your Okta instance or you choose not to configure, you will have to manually add users to Matik before assigning users to Matik in Okta. See this article for more information on Adding Matik Users manually or through a CSV upload.
After the user is added in Matik, go to the Matik Application within Okta > Assignments and click Assign to add people to Matik in Okta.
SSO Setup (Entra ID (fka Azure Active Directory)
-
Go to https://entra.microsoft.com/ and then go to “Enterprise apps” on the left-hand sidebar
-
Click on “New application”.
-
Click on “Create your own application”.
-
On the “Create your own application” screen, select Non-gallery application, name your application, and then click “Create” at the bottom of the screen.
-
You’ll be redirected to the newly created application’s overview page. On the menu, click “Single sign-on”
-
Select SAML as the single sign-on method.
-
Edit the Basic SAML Configuration
- Specify the following and then save:
- Identifier (Entity ID): https://app.matik.io/sp/metadata
-
Reply URL (Assertion Consumer Service URL): https://app.matik.io/_api/auth/sso/azure/
-
Under “SAML Certificates”, copy the App Federation Metadata URL.
- Go to https://app.matik.io/enterprise_settings
-
Scroll down to the SSO section. Select Use Azure as an identity provider, paste the copied app federation metadata URL, enter your organizations domain, and click “Update”.
Note that auto-provisioning is currently unavailable. At this time the provisioning process is manual and you will have to add users to Matik in addition to adding them in Entra ID. See this article for more information on Adding Matik Users manually or through a CSV upload.
SSO Setup (Google)
Navigate to the SSO section of Enterprise Settings and Select "Use Google as an identity provider" and click "Update".
When using Google SSO users are provisioned through Matik using the email address associated with their Google account. See the Adding Matik Users help article for more information.
SSO Setup (Generic SSO)
If you do not use one of the listed SSO providers, you can connect via our generic SSO connector. To do this:
- Select "Use Generic SSO as an identity provider" in Enterprise Settings
- Then, on your SSO provider side, generate a metadata file (.XML format). (If your SSO provider requires a signed certificate to generate the metadata file, Matik can provide that. Reach out to your Technical Account Manager.)
- Upload the metadata file to Matik
Comments
0 comments
Please sign in to leave a comment.