SAML Single Sign-On (SSO)

SSO, or Single Sign-On, allows individuals to use a single set of identifying credentials to sign up and sign on to a variety of different websites and SaaS (Software as a Service) platforms.

Most people are familiar with SSO from signing up with a third party app, a feature that allows you to use your existing credentials to sign up and log in to many websites, including Moqups.

Single Sign-On with SAML goes a step further and allows the employees of an organization to use a single set of credentials to log on to a variety of websites and apps they may need for their work.

SAML (Security Assertion Markup Language) is the open standard that allows identity providers (IDP) like OneLogin, Okta, Microsoft Azure AD or Google to pass authorization credentials to service providers (SP) like Moqups. If you want, you can also configure a Custom SAML single sign-on for IDPs that aren’t on that list.

Once SAML is enabled for your Moqups account, users can use SSO by simply entering their email at the SAML login. Moqups then authenticates their credentials via the IDP – and they can begin using our app.

You can also set up automatic provisioning with SCIM (System for Cross-domain Identity Management). SCIM allows IT departments to automate their user identity management process within an IDP. To set up SCIM you will need to generate an API token in Moqups, and then add this to your IDP. You’ll find instructions for each of our supported IDPs below.

Who Can Use This Feature?

To set up a SAML integration, you’ll need Admin privileges for both Moqups and your chosen IDP.

Moqups Admins also have the option of requiring their team members to use an SSO option, either via a third party app or one of the SAML providers listed below.

OneLogin SAML

Please follow these steps to configure OneLogin SAML for your Moqups account:

1. Once signed into OneLogin, select the SSO tab for the Moqups app.

   

2. In the Issuer URL field, copy the identity provider metadata.

   

3. Click here to log into Moqups and go to the Integration tab on your Dashboard’s Account page.

4. In the SAML Authentication section of your Integration tab, paste the identity provider metadata URL copied during Step 2 and click the Configure button.

   

5. Your configuration is now complete.

Okta SAML

Please follow these steps to configure Okta SAML for your Moqups account:

1. Once signed into Okta, select the SSO tab for the Moqups app.

   

2. Click the Identity Provider metadata link to open a new tab containing the issuer URL

   

3. Copy the URL from the address bar of the tab that opened during Step 2

   

4. Click here to log into Moqups and go to the Integration tab on your Dashboard’s Account page.

5. In the SAML Authentication section of your Integration tab, paste the identity provider metadata URL copied at Step 3 and click the Configure button.

   

6. Your configuration is now complete.

Microsoft Azure AD SAML

This section provides an overview and the steps required to configure SAML authentication for Moqups and Microsoft Azure AD.

Contents

• Supported Features
• Requirements
• Step-by-Step Configuration Instructions

Supported Features

The Microsoft Azure/Moqups SAML integration currently supports the following features:

• SP-initiated SSO
• IDP-initiated SSO
• JIT (Just In Time) Provisioning

Requirements

SAML authentication is available to Moqups customers on our Unlimited Plan.

Step-­by-­Step Configuration Instructions

Within Azure AD, you’ll need to add Moqups from the gallery to your list of managed SaaS apps. Then, within the Moqups app, you’ll need to add Azure’s metadata URL to your Dashboard.

Please follow these steps:

1. Sign in to the Azure portal.

2. Select Azure Active Directory → Enterprise applications → +New application

3. To add a new application, select New application:

   

4. In the Add from the gallery section, type Moqups in the search box.

5. Select the Moqups app from the results panel.

   

6. You should be redirected to the Moqups app within Azure (if not go to Azure Active Directory → Enterprise applications → All applications → Moqups)

7. Go to Single sign-on:

   

8. On the Select a single sign-on method page, select SAML:

   

9. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings:

   

10. Copy the App Federation Metadata URL:

    

11. Log in to Moqups.

12. Go to https://my.moqups.com/dashboard/account/integrations

13. Now paste the App Federation Metadata URL copied at Step 10.

14. Click the Configure button

    

15. Your configuration is now complete.

Custom SAML

If your preferred identity provider doesn’t offer the ability to connect with Moqups, you can use the following information to set up a custom SAML connection.

Requirements

SAML authentication is available to Moqups customers on our Unlimited Plan.

Parameters to Configure

Follow these parameters to configure your custom SAML connection.:

Assertion Consumer Service URL (ACS URL)

• The ACS URL to use is: https://api.moqups.com/saml/v2/acs

EntityID

• moqups.saml2.sp.eid.gkoAgEAAoICA

SAML Logout Endpoint

• Moqups does not support Single Logout or session duration configured in your IDP

Considerations to Keep in Mind

• Moqups supports HTTP REDIRECT binding and HTTP POST binding. You need to configure HTTP POST bindings in the IDP metadata.
• Your IDP needs to ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to an HTTP 403 page or something similar.

Settings to Include

NameID (Required)

• SAML nameID format needs to be of the following email type:

  <saml:NameID 
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
      YOURDOMAIN@email.com
  </saml:NameID> 
  

First Name Attribute (Optional)

<saml:Attribute 
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
  Name="FirstName">
    <saml:AttributeValue 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xsi:type="xs:string">
           FIRST NAME
    </saml:AttributeValue>
</saml:Attribute>

Last Name Attribute (Optional)

<saml:Attribute 
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
  Name="LastName">
    <saml:AttributeValue 
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string">
        LAST NAME
    </saml:AttributeValue>
</saml:Attribute>

Certificates

• Public Certificate

  • Moqups requires the SAML response to be signed.
  • Your IDP’s metadata needs to include a valid x.509 pem Certificate for Moqups to verify your identity. This is different from your SSL certificate.

Log in to Moqups with SAML/SSO

Once the SAML integration has been configured, your users can use SSO to log in to Moqups:

1. Go to https://my.moqups.com/saml-login
2. Enter your email address
3. Click Log in

Enforce SSO authentication

In order to provide an additional layer of security, Moqups admins (team owners) can require all their team members to use an SSO option, either via a third party app or one of the SAML providers above.

Enabling the Enforce SSO Authentication option means that password-only login will be disabled for all team members.

To enforce SSO authentication for your team:

1. Go to the Accounts window of your Dashboard
2. Click on the Security tab
3. In the Enforce SSO Authentication section, set the Enforce SSO Authentication for your team toggle to the ON position.
4. Confirm your choice by pressing the Continue button in the pop-up.