Mapiq

Permissions in your IAM solution to setup and configure SSO connections to third-party application.

___________________________________________________________

The Generic Mapiq SSO integration for OIDC currently supports the following features:

- SP-Initiated SSO
- JIT (Just-In-Time) Provisioning

Setup the SSO connection for OIDC in your IAM solution with the information provided in the <a href="#h_f1db76e638">OIDC configuration</a> section below. &lt;TODO: test environment yes/no&gt;

Ensure that the required claims for Mapiq are correctly configured as described in the <a href="#h_9421518d74">Claims</a> section.

Configure any desired optional claims as described in the <a href="#h_9421518d74">Claims</a> section.

Locate the <code>.well-known/openid-configuration</code> url of the SSO application, the client id and client secret.

Contact Mapiq support or your Mapiq contact person and request that they enable SSO with OIDC and provide the previously collected configuration url, your client id, client secret, your IAM solution and email domains used by your users.

Completed! Your users can now sign in to Mapiq using SSO. Additionally, you can start assigning users to the application.

1. Setup the SSO connection for OIDC in your IAM solution with the information provided in the <a href="#h_f1db76e638">OIDC configuration</a> section below. &lt;TODO: test environment yes/no&gt;
2. Ensure that the required claims for Mapiq are correctly configured as described in the <a href="#h_9421518d74">Claims</a> section.
3. Configure any desired optional claims as described in the <a href="#h_9421518d74">Claims</a> section.
4. Locate the <code>.well-known/openid-configuration</code> url of the SSO application, the client id and client secret.
5. Contact Mapiq support or your Mapiq contact person and request that they enable SSO with OIDC and provide the previously collected configuration url, your client id, client secret, your IAM solution and email domains used by your users.
6. Completed! Your users can now sign in to Mapiq using SSO. Additionally, you can start assigning users to the application.

Mapiq requires the following standard OIDC scopes: <code>openid</code>, <code>profile</code>, and <code>email</code>.

- Mapiq requires the following standard OIDC scopes: <code>openid</code>, <code>profile</code>, and <code>email</code>.

The following table provides the configuration details for setting up OIDC for our production and testing environment.

Mapiq expects the following claims to be present in the token:

Additionally, there are optional claims that can be provided to Mapiq for additional functionality. You are free to map them to user properties as applicable in your organization and these claims should be returned under the <code>openid</code>, <code>profile</code>, and <code>email</code> scopes. The optional available claims are:

For help on configuring these scopes and claim, please refer to the documentation of your IAM solution and, if required, reach out to their support:

Okta: <a href="https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-custom-claim/" rel="nofollow noopener noreferrer" target="_blank">https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-custom-claim/</a>

Auth0: <a href="https://auth0.com/docs/configure/apis/scopes/sample-use-cases-scopes-and-claims#add-custom-claims-to-a-token" rel="nofollow noopener noreferrer" target="_blank">https://auth0.com/docs/configure/apis/scopes/sample-use-cases-scopes-and-claims#add-custom-claims-to-a-token</a>

- Okta: <a href="https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-custom-claim/" rel="nofollow noopener noreferrer" target="_blank">https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-custom-claim/</a>
 
- Auth0: <a href="https://auth0.com/docs/configure/apis/scopes/sample-use-cases-scopes-and-claims#add-custom-claims-to-a-token" rel="nofollow noopener noreferrer" target="_blank">https://auth0.com/docs/configure/apis/scopes/sample-use-cases-scopes-and-claims#add-custom-claims-to-a-token</a>

Go to <a href="https://app.mapiq.com" rel="nofollow noopener noreferrer" target="_blank">https://app.mapiq.com</a>

1. Go to <a href="https://app.mapiq.com" rel="nofollow noopener noreferrer" target="_blank">https://app.mapiq.com</a>
2. Click Sign in
3. Provide your company email address
4. Sign in with your company credentials

Mapiq doesn’t provide a backup sign-in URL in case of a misconfiguration of the SSO integration. Please contact Mapiq Support if you lock yourself out.

	Production	Sandbox
Redirect url	https://mapiqprod.b2clogin.com/mapiqprod.onmicrosoft.com/oauth2/authresp	TBD

Claim	Description
given_name	The user’s first name.
family_name	The user’s last or family name.
name	The user’s full name.
email	The user’s email address.

Claim	Description
job_title	The user’s job title (e.g. ‘senior manager’, or ‘trainee’).
department	The department the user is a part of (e.g. ‘finance’ or ‘IT support’).
business_unit	The business unit the user is part of (e.g. ‘company logistics’).
office	The office where the user is based (e.g. ‘Amsterdam’ or ‘London’).
country	The country in which the user is based (e.g. ‘NL’ or ‘The Netherlands’).
external_id	An identifier, unique to the user, that can be leveraged in other platforms (e.g. an employee number).

Requirements

Supported Features

Configuration Steps

OIDC configuration

Claims

SP-Initiated SSO

Troubleshoot

Notes