Single Sign-On (SSO) provides the option for your employees to easily sign in with their company credentials to the Mapiq application. Integrating Mapiq with your Identity Access Management solution (IAM solution) allows your employees to not worry about additional login credentials and not need to sign in to an additional application. At the same time, your IT department can ensure and manage the security aspects of your employees' sign-in and access to the Mapiq application. Additionally, when using SSO, user information can be synchronized with Mapiq from your IAM solution to empower certain Mapiq features.
Supported SSO features
Mapiq currently supports the following features with SSO:
SSO via SAML 2.0
SSO via OIDC
Service Provider Initiated (SP-Initiated) SSO
Just-In-Time (JIT) Provisioning
User attributes
When using SSO you can map the user attributes from your IAM solution to the user attributes expected in Mapiq. The Mapiq application defines two sets of user attributes: the standard and the extended attribute set. The standard attribute set contains the user attributes that are always required to be present for the application to function as expected. The extended attribute set defines the optional attributes that can be provided to unlock additional functionality. The availability of these user attributes in your IAM solution and the mapping to user attributes in Mapiq will depend on your organizational structure.
User attribute | Description | Attribute set | OIDC Claim | SAML Attribute |
First name | The user’s first name. | Standard | given_name | givenname |
Last name
| The user’s last or family name. | Standard | family_name | surname |
Display Name | The user’s full name. | Standard | name | displayname |
The user’s email address. | Standard | address | emailaddress | |
Job Title | The user’s job title (e.g. ‘senior manager’, or ‘trainee’). | Extended | job_title | jobtitle |
Department | The department the user is a part of (e.g. ‘finance’ or ‘IT support’). | Extended | department | department |
Business Unit | The business unit the user is part of (e.g. ‘company logistics’). | Extended | business_unit | businessunit |
Office | The office where the user is based (e.g. ‘Amsterdam’ or ‘London’). | Extended | office | office |
Country | The country in which the user is based (e.g. ‘NL’ or ‘The Netherlands’). | Extended | country | country |
externalId (API only) | An identifier, unique to the user that can be leveraged in other platforms (e.g. an employee number). | Extended | external_id | externalid |
Leveraging user attributes within Mapiq
In the introduction, it was explained that making use of SSO can empower certain Mapiq features. The SSO empowers Mapiq through the user attributes shared with Mapiq. To be more precise, the Extended attributes can be leveraged.
People overview
All additional claims are visualized on the People tab. Administrators of the Mapiq environment are able to filter on these attributes. Ideal for bulk updates or quick searches.
Access profiles
Access profiles are divided into a subset of Quota- and Location profiles. For the Workplace Quota- and Location profile, a user can be auto-assigned based on the given user attributes. Whenever the user attributes change in the IAM solution of the user, this will also be reflected in the user's profile. Understand how the auto-assign works by going over our Automatic User Assignment article.
API integration
Customers can retrieve data presented on Mapiq's Public API and build custom API integrations. On the Public API, all the attributes presented to Mapiq will be reflected. In combination with additional data on the Public API, you can build your own integration. The user attribute external_id is introduced to be used to identify a user in a different platform. You can find more information on https://developer.mapiq.com if you're interested in using Mapiq's Public API.
Configuring SSO
The configuration steps for setting up SSO with Mapiq depend on your IAM solution. For some IAM solutions, Mapiq provides a managed integration, allowing for easy installation and setup. Otherwise, there are the general instructions for setting up SSO with the supported protocols.
Azure AD
When using Azure AD, Mapiq is available as an application to be installed from the Azure AD app gallery for both OIDC and SAML. See the specific configuration steps in the Configure Azure AD - OIDC and Configure Azure AD - SAML documentation.
Okta
Okta Mapiq is available as an application to be installed from the Okta Integration Network for both OIDC and SAML. See the specific configuration steps in the Configure Okta - OIDC and Configure Okta - SAML documentation.
SURFconext
When using SURFconext Mapiq is available as a service using OIDC for sign-in. Please contact Mapiq support or your Mapiq contact person for configuration details using SURFconext.
Other
If your IAM solution was not listed above, it is still possible to use single sign-on with Mapiq. Please refer to the Configure Generic - OIDC and Configure Generic - SAML documentation for instructions on configuring SSO with any other IAM solution.
💬 Need More Help?
If you’d like extra assistance, reach out via the Messenger (question mark in the corner) and chat with our support team, or email us at [email protected].
We’re always ready to help! 😉