How does the SAML integration work in Motivosity?
Motivosity is able to integrate with any SAML Identity Provider (IdP) vendor. This article will walk you through how to get the SAML integration configured within Motivosity after you have received your XML Metadata from your IdP.
DISCLAIMER: If the integration is not behaving as expected after the initial setup, you'll want to double-check the points below. These are three of the most common steps that we see integrated incorrectly.
Production Metadata - do not use staging or sandbox metadata.
Signed Metadata - all metadata and assertions should be signed at start and endpoints.
This integration is meant to redirect to your login page - We don't pass any information to a backend system. We just redirect them to your login page and you send back the signed assertion to us with the unique identifier of the person being authenticated (i.e their email).
How to configure the SAML integration with Motivosity:
To get started setting up your SAML integration in Motivosity, please follow the steps below:
First, select 'Setup' in your menu bar at the top of the screen.
Click 'Integrations' on the left-hand side or down near the bottom of the page.
From here, select the 'SAML' tile.
A modal will appear displaying information about Single Sign on. Please click 'Activate'.
Once you've clicked 'Activate', this will lead you to the integrations page for SAML. Here, you'll be able to input your Company Domain and SAML Metadata. Once finished you can go ahead and click 'Save'.
Once saved, you'll see this information within Enabled Applications.
Auto-login rules
You now have a custom domain like company-name.motivosity.com. Email notifications will point toward this domain. If your users go to company-name.motivosity.com, they will be automatically logged into Motivosity using your sso configuration.
If you are in a place where access to the SSO identity provider is not available, you can always go to 'app.motivosity.com' to login the old way.
Troubleshooting
If you are being redirected to your login portal when you go to company-name.motivosity.com, but are not being logged in when you enter your credentials, there are a couple of things to look at.
If your environment is paused, only administrators will be allowed to log in. Make sure you have admin access if you want to test this while paused.
We require a signed assertion - the alternative would be to leave an open door which is not secure. Look at your XML metadata - if you don't see something like the following, you'll need to make sure you get a hold of the correct metadata:
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
[long string of random letters and numbers here]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>