Single Sign-On Overview

Overview

SSO in Mazévo supports the SAML 2.0 protocol.

SAML passes information about users, logins, and attributes between your identity provider and Mazévo, acting as the service provider. You will need to check and see what system your organization uses as an identity provider and make sure it utilizes SAML 2.0 to work with Mazévo.

With SAML, your users are authenticated via your identity provider. After successful user authentication, the identity provider sends information about the user to Mazévo (the service provider). This authenticated message includes information about the user, which consists of the user’s name and email address. If the user information that Mazévo receives back matches the user information Mazévo has already had, it is granted access and logged in. If, on the other hand, there is no user in Mazévo that matches what the identity provider sent, then Mazévo will automatically create a new user account with a default set of permissions and log that person in.

How to Configure SSO

1. Confirm that you have SSO Access for your subscription. Contact your Mazévo Representative if you need to confirm or add SAML SSO to your contract.

2. Contact your Identity Provider administrator and request the SAML Identity Provider Metadata XML file. The XML could be an actual file that you download or a publicly accessible URL.

Identity Provider - This service manages end-user authentication and can send SAML responses to SPs to authenticate end-users. Identity Providers usually connect to a user directory that stores the actual user accounts, such as LDAP, Active Directory, etc.

 Common Examples: Google Identity Platform, Azure Active Directory, Active Directory Federation Services (ADFS), Shibboleth, One Login, Duo, Auth0, etc.

3. Send the Metadata XML to Mazévo Support: support@gomazevo.com

4. Mazévo Support prepares your subscription for SSO and emails you the Mazévo Service Provider metadata, including your ACS, Issuer, and Login URLs.

5. Configure Mazévo in your identity provider. The service provider metadata includes all of the necessary information.

6. Test the integration with the test domain provided by Mazévo Support. If the test is successful, notify Mazévo Support, who will remove the test domain, and all users from your production domain will begin to authenticate via SSO. If your testing is unsuccessful, Mazévo support will work with you to troubleshoot with your Identity Provider administrator. 

Logging in with SSO

  1. All SSO users go to mymazevo.com.
  2. The user then enters their email address.
  3. Mazévo checks the email address and verifies it belongs to a Mazévo subscription configured for SSO.
  4. The user is redirected to their organization’s SSO identity provider’s sign-in page and enters credentials required by the Identity Provider.
  5. The Identity Provider redirects the user back to Mazévo, where they are granted access after successful authentication.

User Provisioning

If an SSO-authenticated user does not already have an account established, Mazévo creates an account for them and treats them as a requester with view-only access. A requester with view-only access will only view public events and any previously scheduled events that they are a contact for.

If you would like to grant your users a higher level of access once authenticated for the first time, please contact your Mazévo representative.

 

Allowing Non-Domain Accounts to Sign In

The system can be configured to allow a mix of users to authenticate.  Users with email addresses in the domain are authenticated thru SSO, while other users (non-domain email addresses) are authenticated directly with the app.  To use this configuration, please contact Mazévo support. 

 

Using a Preferred Email Address

Mazévo's SSO interface can also utilize an alias email address, sometimes referred to as a preferred email address.  In some situations, the SSO will use a non-friendly naming/numbering convention to create a unique email for the user.  Some systems are configured to allow a user to specify an alternate email that can be used by the user.  

If this is configured for your SSO usage, the end-user will need to log in the first time with the SSO primary account identifier.  Once the user account has been created in Mazévo, the user can log in using their preferred email address.