Single Sign-On Overview

Mazévo natively supports single sign-on (SSO) to any system that supports the SAML 2.0 protocol. SSO needs to be enabled for your account by Mazévo support.

Overview

SSO in Mazévo supports the SAML 2.0 protocol.

SAML passes information about users, logins, and attributes between your identity provider and Mazévo, acting as the service provider. Therefore, you will need to check and see what system your organization uses as an identity provider and make sure it utilizes SAML 2.0 to work with Mazévo.

With SAML, your users are authenticated via your identity provider. After successful user authentication, the identity provider sends information about the user to Mazévo (the service provider). This authenticated message includes information about the user, including the user's name and email address. If the user information that Mazévo receives matches the user information Mazévo has already had, it is granted access and logged in. If, on the other hand, there is no user in Mazévo that matches what the identity provider sent, then Mazévo will automatically create a new user account with a default set of permissions and log that person in.

How to Configure SSO

1. Confirm that you have SSO Access for your subscription. Contact your Mazévo Representative if you need to confirm or add SAML SSO to your contract.

2. Contact your Identity Provider administrator and request the SAML Identity Provider Metadata XML file. The XML could be a file you download or a publicly accessible URL.

Identity Provider - This service manages end-user authentication and can send SAML responses to SPs to authenticate end-users. Identity Providers usually connect to a user directory that stores the actual user accounts, such as LDAP or Active Directory.

 Common Examples: Google Identity Platform, Azure Active Directory, Active Directory Federation Services (ADFS), Shibboleth, One Login, Duo, Auth0.

3. Send the Metadata XML to Mazévo Support: support@gomazevo.com

4. Mazévo Support prepares your subscription for SSO and emails you the Mazévo Service Provider metadata, including your ACS, Issuer, and Login URLs.

5. Configure Mazévo in your identity provider. The service provider metadata includes all of the necessary information.

6. Test the integration with the test domain provided by Mazévo Support. If the test is successful, notify Mazévo Support, who will remove the test domain, and all users from your production domain will begin to authenticate via SSO. If your testing is unsuccessful, Mazévo support will work with you to troubleshoot with your Identity Provider administrator. 

Logging in with SSO

  1. All SSO users go to mymazevo.com.
  2. The user then enters their email address.
  3. Mazévo checks the email address and verifies it belongs to a Mazévo subscription configured for SSO.
  4. The user is redirected to their organization's SSO identity provider's sign-in page and enters the credentials required by the Identity Provider.
  5. The Identity Provider redirects the user back to Mazévo, where they are granted access after successful authentication.

User Provisioning

If an SSO-authenticated user does not already have an account established, Mazévo creates an account for them and treats them as a requester with view-only access. A requester with view-only access will only view public events and any previously scheduled events for which they are a contact.

If you would like to grant your users a higher level of access once authenticated for the first time, don't hesitate to get in touch with your Mazévo representative.

 

Allowing Non-Domain Accounts to Sign In

The system can be configured to allow a mix of users to authenticate. For example, users with email addresses in the domain are authenticated thru SSO, while other users (non-domain email addresses) are authenticated directly with the app. To use this configuration, please get in touch with Mazévo support. 

 

Using a Preferred Email Address

Mazévo's SSO interface can also utilize an alias email address, sometimes referred to as a preferred email address. In some situations, the SSO will use a non-friendly naming/numbering convention to create a unique email for the user. In addition, some systems are configured to allow a user to specify an alternate email that the user can use.  

 

Turning on SSO after initial implementation

If a tenant has active users before turning on SSO, they likely have a primary email address that is not the EID address tied to their Mazévo account. When activating SSO in this situation, upon the user's first login after SSO is on, and SSO is configured to pass an alias email to Mavévo, Mazévo will attempt to locate the user's record using the alias email. Mazévo will update the user's primary email to the EID address if the account is found. In addition, Mazévo will update the user's alias email address. 

If the alias email is not located, Mazévo assumes this is a new user; therefore, a new account will be created using the EID address. The permissions on the new account are based upon the configuration of the Security Policies and SSO settings.

If a user's alias email is updated in the IDP, that change will update the alias email on the user's account.