Setup Single Sign-On Service

You can configure MapBusinessOnline to use your organization’s identity provider for logging in users. To implement this option the identity provider shall support SAML 2.0 or a newer protocol and your MapBusinessOnline account must have Team subscription.

In this article we describe how to setup Single Sign On with Okta, a leading identity service. First you need to configure Okta and then MapBusinessOnline.

Configure Okta

  1. MapBusinessOnline SSO settings are available in XML file that you can download from here. Since Okta doesn’t support loading SSO metadata from XML, we provided two more links for you where you can download MapBusinessOnline encryption and MapBusinessOnline signature certificates.
  1. MapBusinessOnline settings are also available on the MBO Account page as shown on the picture below.
  1. Log into your Okta organization as a user with administrative privileges.
  1. Press Admin button on the menu bar (displayed on the picture below).
  1. On the right sidebar click 'Add Applications' item.
  1. Press 'Create New App' button.
  1. In 'Create a New Application Integration' dialog select 'SAML 2.0' option, then press Create button.
  1. On the first page specify general settings like Application name and press Next button.
  1. Copy the URL you can see below into 'Single sign on URL' box in Okta settings. Check 'Use this for Recipient URL and Destination URL' box on (that saves you time setting the same value into Recipient and Destination URLs manually).
  1. Enter into 'Audience URI (SP Entity ID)' box.
  1. Select Persistent for Name ID format.
  1. MapBusinessOnline supports following Name ID formats:
    • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
    • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  1. If you want to setup assertion encryption, response signing, or single logout use the 'Show Advanced Settings' link in Okta UI. Otherwise go straight to step 15 in this article.
  1. By default Response signing is ON. To turn it OFF just select ‘Unsigned’ value in corresponding box. For signature choose RSA-SHA256 and SHA256 algorithms. Note that some older algorithms are not supported by MBO for better security.
  1. Setup assertion encryption. Select 'Encrypted' in 'Assertion Encryption' box. Choose AES256-CBC and RSA-OAEP as encryption algorithms. Download MapBusinessOnline Encryption certificate by this link and set it in ‘Encryption Certificate’ box.
  1. If you want to setup Logout then check 'Allow application to initiate Single Logout' box. Edit boxes for 'Single Logout URL', 'SP Issuer' and 'Signature Certificate' become visible.
  1. Copy the URL you can see below into 'Single Logout URL' box in Okta settings.
  1. Enter into ' SP Issuer ' box.
  1. Download MapBusinessOnline Signature certificate by this link and set it in ‘Signature Certificate’ box.
  1. Add attribute statements to simplify registration of new users in MapBusinessOnline. Following attributes are supported:
    • givenname or firstname
    • lastname
    • streetaddress
    • country or countrycode
    • stateorprovince or state
    • postalcode, zip or zipcode
  1. Here is an example of configured attribute statements:
  1. Phew! SAML has been configured. Click Next and then Finish buttons.
  1. Now save your application settings as they are required to configure SSO on MapBusinessOnline side. You can download settings by the 'Identity Provider metadata' link or just copy the link itself.
  1. Finally click Assignments on the menu and to assign users or groups to the SSO application.

Configure MapBusinessOnline

  1. Once identity provider has been configured, go to MapBusinessOnline Account page and select Single Sign On tab.
  1. E-mail domain name will be copied from e-mail address you provided upon registration. If you used a public e-mail address like gmail, it’s time to change your account setting to use corporate e-mail. You can do it from ‘Account information’ tab on Account page.
  1. The easiest way to configure MBO is to copy URL pointing to SSO settings into 'URL to identity provider’s settings' box. See step 17 above where we copy the URL in Okta.
  1. If you don’t have URL but you have a file with settings then select corresponding option and then choose the file.
  1. Check ‘Assertions are encrypted’ and ‘Requests and responses are signed‘ boxes to match configuration on identity provider side.
  1. Finally press Configure button.
  1. You are all set. Now your users can go to Account page and setup Single Sign On login option to log into MapBusinessOnline with organization's SSO service.