Configuring SSO with Motivosity


DISCLAIMER: 

If the integration is not behaving as expected after the initial setup, you'll want to double-check the points below. These are three of the most common steps that we see integrated incorrectly.


1. Production Metadata - do not use staging or sandbox metadata. 

2. Signed Metadata - all metadata and assertions should be signed at start and endpoints.

3. This integration is meant to redirect to your login page - We don't pass any information to a backend system. We just redirect them to your login page and you send back the signed assertion to us with the unique identifier of the person being authenticated (i.e their email).



Enabling SSO with Motivosity will allow your users to be auto-logged-in when they come to the Motivosity page. It's easy. This document will show SSO using Google as an example, but any SAML 2.0 provider will do.


Create a Google SAML app


Go to your google admin panel (admin.google.com) and select 'Apps'. You will see an area to create a new SAML app....


From there, click on 'SAML apps' and then on 'Add a service/App to your domain'. Click that link and then at the bottom of the modal, click on 'Setup my own custom app'.


Download the IDP metadata. This will be an XML file. Keep this handy for later and click 'Next'.


Name the app and choose a logo.


Enter the following information in your custom app and click 'Next':


ACS URL: https://app.motivosity.com/sso/saml


Entity ID: https://motivosity.com/


There is no need to do any more attribute mapping for Google. Click 'Finish'


Your SSO app is now ready on the Google side. Go ahead and turn it on for everyone.


Configure Motivosity to use your SAML/SSO Application


Log in to Motivosity as an admin.


Click on 'Setup' and then 'Integrations'.


Create a custom domain for your company. This is usually company-name.motivosity.com.


Copy and paste the contents of the XML file you received when you clicked on Google's IDP download into the SAML Metadata field.


Auto-login rules


You now have a custom domain like company-name.motivosity.com. Email notifications will point toward this domain. If your users go to company-name.motivosity.com, they will be automatically logged into Motivosity using your sso configuration.


If you are in a place where access to the SSO identity provider is not available, you can always go to 'app.motivosity.com' to login the old way.


Troubleshooting


If you are being redirected to your login portal when you go to company-name.motivosity.com, but are not being logged in when you enter your credentials, there are a couple of things to look at.


1. If your environment is paused, only administrators will be allowed to log in. Make sure you have admin access if you want to test this while paused.


2. We require a signed assertion - the alternative would be to leave an open door which is not secure. Look at your XML metadata - if you don't see something like the following, you'll need to make sure you get a hold of the correct metadata: 

<KeyDescriptor use="signing">

            <ds:KeyInfo>

                    <ds:X509Data>

                        <ds:X509Certificate>

[long string of random letters and numbers here]

                        </ds:X509Certificate>

                    </ds:X509Data>

            </ds:KeyInfo>

</KeyDescriptor>