Single Sign-On: Okta (SAML)
Moesif provides a single sign-on integration with Okta.
Benefits of SSO
- Improve security and regulatory compliance
- Reduce IT costs through auto-provision and de-provisioning
- Enforce policies like Multi-Factor Authentication (MFA), Password Reset, etc
- Improve usability for employees
How SSO works
Moesif supports both identity-provider (IdP) initiated and service-provider (SP) initiated single sign-on. When IdP initiated, a user logs in through your IdP’s app directory. When SP initiated, a user logs in by entering their employee email on Moesif’s website. Because their email domain has SSO enabled, they will be redirected to your organization’s single sign-on page. Once enabled, team management and role-based access control (RBAC) is handled by your identity provider rather than within the Moesif application.
Home Realm Discovery
Moesif’s SSO implementation supports Home Realm Discovery. This means SSO is enforced for your entire company domain even if a new employee is not yet added to your Moesif organization. This ensures employees cannot bypass SSO such as by entering a username/password. It also reduces your IT burden as employees never have to decide on what type of login they should use as redirect is automatic as soon as they enter their email.
Enterprise Single Sign-On is available only on enterprise plans
How to setup Okta with Moesif
Prerequisites
In order to set up SSO with Okta:
- You must be able to configure your Okta account
- You must be on a Moesif enterprise plan
- Okta also has a guide available here
This guide is for SAML-based SSO. However, we recommend OIDC for ease of use for newer installations.
1. Go to Applications within the Okta admin dashboard
Click the Add Application button
2. Search for Moesif and click Add
3. Select the Sign On tab and then select the Edit button
In the red box marked above box, enter your Moesif Okta company domain, which is your Okta domain with any .
replaced with -
For example if you log into Okta at myorgname.okta.com
, you should enter myorgname-okta-com
into the corresponding field.
If you’re unsure, email your Moesif technical account manager or support@moesif.com
4. Select View Setup Instructions in the yellow box.
This will open up Okta’s set up instructions. Under step 2 Save, then attach the following Metadata file to your request, copy the the metadata URL. Email the URL to your Moesif account manager who will finish setting up SSO.
https://myorgname.okta.com/app/XXXXXXXXXXX/sso/saml/metadata
5. Add role field
While optional, to manage role-based access control for Moesif within your identity provider, you need to add a field role to the Moesif appuser.
Within the Okta admin portal, go to Directory -> Profile Editor, and select the Edit Profile button next to the newly created Moesif application.
Click on Add Attribute on the left side and add a field role as shown in below screenshot.
Checkbox Define enumerated list of values and add the three predefined roles supported by Moesif:
admin
member
read-only
dashboard-viewer
If your Moesif subscription has any custom roles, you can also add their names to this list.
After SSO activated
Once SSO is enabled:
- Team members will no longer be able to log in with a password or social account.
- Password reset and MFA controls are disabled.
- Administrators will no longer be able to add/remove team members within Moesif.
- Role-based access control is synced from your identity provider and cannot be changed within Moesif.
- User licenses are added as new users are provisioned. Contact us to change this behavior.
What is experience like:
- Team members can log in via their IdP or from Moesif’s website.
- If team member logs in from the website, they will automatically be redirected to a special log in page.
Any employee logging in with your company’s domain will automatically be redirected to the single sign-on page where they can click log in. All team management and role-based access control actions is done through your identity provider. Moesif automatically syncs user accounts.
Disabling SSO
An organization can disable SSO at any time by contacting their technical account manager. Once disabled, existing team members who already had an account prior to SSO can log in with their password. New users who were provisioned through SSO can reset their password to log in.