We support SSO through Okta, Onelogin, Azure, and Google. Additional SSO's using open SSO protocols may also be supported. Please reach out to your Technical Account Manager if you are interested in using an SSO not listed here.
All Matik users added through the SCIM integration will be added as end users. To increase user permissions to Admin or Producer Admin, first add them as an end user via your SSO. Then grant them Admin and Producer Admin roles via Enterprise Settings within the Matik app.
SSO Setup
- As an admin, go to Enterprise Settings for your organization. Scroll down to the SSO section.
- Select your identity provider from the "Use (SSO) as an identity provider" checkboxes.
-
Then input the SAML Metadata URL and your domain. (NOTE: if your SAML metadata URL has a custom domain, such as
acmecorp.cominstead of something SSO provider-specific, likeokta.comormicrosoftonline.com, make sure that the Domain you enter matches the custom domain in the Metadata URL. This is how Matik will check to ensure the Metadata URL is valid.) - Click "Update" on the bottom right of the screen to save the changes.
When you enable SSO, we disable the option to log in with a password for everyone in the account except users with the producer admin role in Matik.
See below for provider specific SSO instructions:
If needed for implementation the following URL's can be used for SSO setup:
- Single Sign-on URL: https://app.matik.io/_api/auth/sso/okta/
- Audience Restriction: https://app.matik.io/_api/auth/sso/
- Recipient and Destination URL: https://app.matik.io/_api/auth/sso/okta/
- SCIM Base URL: https://app.matik.io/_api/scim/
SSO Setup (Okta)
SSO Setup (Entra ID (fka Azure Active Directory)
Matik is not currently listed in the Microsoft Entra Gallery, but we support Entra SSO via creating a custom (non-gallery) enterprise application. This section covers SSO configuration first, followed by optional SCIM-based user provisioning.
Set up Single Sign-On
-
Go to https://entra.microsoft.com/ and then go to “Enterprise apps” on the left-hand sidebar
-
Click on “New application”.
-
Click on “Create your own application”.
-
On the “Create your own application” screen, select Non-gallery application, name your application, and then click “Create” at the bottom of the screen.
-
You’ll be redirected to the newly created application’s overview page. On the menu, click “Single sign-on”
-
Select SAML as the single sign-on method.
-
Edit the Basic SAML Configuration
- Specify the following and then save:
- Identifier (Entity ID): https://app.matik.io/sp/metadata
-
Reply URL (Assertion Consumer Service URL): https://app.matik.io/_api/auth/sso/azure/
-
Under “SAML Certificates”, copy the App Federation Metadata URL.
- Go to https://app.matik.io/enterprise_settings
-
Scroll down to the SSO section. Select Use Azure as an identity provider, paste the copied app federation metadata URL, enter your organizations domain, and click “Update”.
Set up Entra SCIM-based User Provisioning (Optional)
You can optionally configure SCIM-based user provisioning so that users assigned to the Matik application in Entra are automatically created in Matik. (If you do not want to configure provisioning, you can skip this section and instead add users to Matik manually before they sign in via SSO. See this article for more information on Adding Matik Users manually or through a CSV upload.)
12. Go back to the application’s overview page in Microsoft Entra. On the menu, click Provisioning.
13. Under Manage, click Provisioning.
14. Set Provisioning Mode to Automatic. Expand the Admin Credentials section and complete the form with the following:
a. Authentication Method: Bearer Authentication
b. Tenant URL: https://app.matik.io/_api/scim/
c. Secret Token: Use the Base64-encoded value from a Basic Auth header with your Matik credentials.
15. Click Test Connection to verify the credentials, then click Save.
What to Expect After Provisioning
- Users provisioned via Entra will be created with the End User role in Matik.
- Assigning additional roles (Admin, Producer Admin) through Entra is not supported. To grant additional roles, sign in to Matik as a Producer Admin after provisioning and manually update roles in Enterprise Settings (Top right menu > Enterprise Settings > Users).
When you remove a user’s access to Matik via Entra, the corresponding user will be set to Inactive in the Matik app. They will no longer be able to access Matik and will not count against any seat limits.
SSO Setup (Google)
Navigate to the SSO section of Enterprise Settings and Select "Use Google as an identity provider" and click "Update".
When using Google SSO users are provisioned through Matik using the email address associated with their Google account. See the Adding Matik Users help article for more information.
SSO Setup (Generic SSO)
If you do not use one of the listed SSO providers, you can connect via our generic SSO connector. To do this:
- Select "Use Generic SSO as an identity provider" in Enterprise Settings
- Then, on your SSO provider side, generate a metadata file (.XML format). (If your SSO provider requires a signed certificate to generate the metadata file, Matik can provide that. Reach out to your Technical Account Manager.)
- Upload the metadata file to Matik
Comments
0 comments
Please sign in to leave a comment.