Single Sign-On (SSO)

Introduction

SSO (Single Sign-On) uses a single set of credentials for logging into different applications. This empowers the employees to access a MoEngage dashboard using their company credentials.

Benefits of SSO

Increased security and less risk of accounts being compromised
Reduced password fatigue from managing different credentials
Simplified authentication by using the known access directory

info	Note You may need help from your IT administrator in your organization to set up SSO for your account.

MoEngage supports SSO using SAML 2.0 and acts as an SSO Service Provider (SP). SAML is an industry-standard protocol that allows the delegation for authentication of users, similar to OAuth2.

The customer, on login, is redirected to their internal or external SSO system for authentication and then returned to MoEngage where the response is verified. Screenshot_2022-10-18_at_9.39.29_AM.png

Enable SSO

warning

Warning

Only admins can access the login settings.

info	Information We have revamped our dashboard settings UI. The navigations for SSO in the old and revamped UIs are illustrated in the following images.

Navigate to Settings -> Security -> Login -> SSO in the MoEngage Dashboard.

Select Sign Sign-On (SSO) Only from the available options.
Select your SSO Identity Provider and configure the setup.
Click Save.

Navigate to Settings -> Login -> Authentication.

Select Sign Sign-On (SSO) Only from the available options.
Select your SSO Identity Provider and configure the setup.
Click Save.

Enable Identity Providers

MoEngage currently supports the following Identity Providers(IdP):

Okta
Google
One Login
Microsoft Azure

info	Note Even if your identity provider is not listed here, it should work with any SAML 2.0 compliant provider. Select Other from the identity provider list and configure your IdP.

Set up Okta SSO

Ensure:

You are an org admin for your organization in MoEngage.
You can configure your organization in Okta.

To set up SSO with Okta:

Navigate to the Okta admin dashboard.
Click Add Applications.
Click Create New App.
Select SAML 2.0.
Enter a name for the app and optionally upload a logo.
Enter the Single Sign On URL (ACS URL) and Audience URL (Entity Id).
Change the Application username to Email.
In the SSO settings for MoEngage, select Okta as the IdP.
Enter the Entity ID and ACS URL.
Copy and paste the details configured in Okta.
If you'd like, you can download the Identity Provider metadata.

Screenshot_2019-11-05_at_12.42.11_PM.png

8. On MoEngage, paste the metadata and click Continue.

9. Click Continue to enable SSO via Okta.

10. Confirm and choose to inform teammates about the new login process

Screenshot_2019-11-14_at_1.13.02_PM.png

Set up Google SSO

Ensure:

You are an admin for your workspace in MoEngage.
You are an administrator for your GSuite organization

To set up SSO with Google:

Navigate to Apps in the GSuite admin console and select SAML apps.
Click + at the bottom right corner to add a SAML app.
In the popup, click Setup my own custom app.
Continue through the app creation.
Enter a name and description and optionally upload the logo for easy recognition.
In the next step, you will be prompted for the "ACS URL" and "Entity ID".
For the Entity ID and ACS URL, choose Google as your identity provider in the SSO settings on MoEngage and paste the details into the Google console.
For the ID Format, select email from the drop-down.
Select Signed Response.
Click Finish to save the app.
Download the IDP metadata.
Upload the metadata file in MoEngage and click Save.
Click Save to enable SSO via Google.
Confirm and choose to inform the teammates about the new login process.

Set up OneLogin SSO

Ensure:

You are an admin for your account in MoEngage.
You must be able to configure the organization in OneLogin.

To set up SSO with OneLogin:

On the OneLogin portal, navigate to Applications and click Add App.
Search for SAML and select "SAML Test Connector (IdP w/ attr w/ sign response)".
Enter the name "MoEngage" and save the app.
In the configuration sections of this app, fill out the form.
For the form, choose OneLogin as your identity provider in the SSO settings on MoEngage and paste the details (Audiences, ACS (Consumer) URL Validator, ACS Consumer URL, and SSO URL) in the OneLogin portal. Click Save.
From the menu More Action, select SAML metadata. This downloads a file.
Upload the metadata file in MoEngage and click 'Save'.
Click Save to enable SSO via OneLogin.
Confirm and choose to inform the teammates about the new login process.

Set up Microsoft Azure SSO

Ensure:

You are an org admin for your organization in MoEngage.
You can configure your organization in Azure.

To set up SSO with Azure:

Sign in to the Azure Portal.
Browse to Microsoft Entra ID > Enterprise applications. The All applications pane opens and displays a list of the applications in your Azure AD tenant. Search for "SAML Toolkit" and select the application.
In the Manage section of the left menu, select Single sign-on to open the Single sign-on pane for editing.
Select SAML to open the SSO configuration page.
On the Step 1 tile “Basic SAML Configuration”, click on the edit button.
Copy & paste the Identifier (Entity ID), Reply URL and Sign On URL values from MoEngage (Settings -> Single Sign On -> Enable SSO -> Select Azure) and click on Save.
From the Step 3 tile, SAML Signing Certificate, copy the App Federation Metadata URL and download the XML.
Upload the metadata file on MoEngage (Settings -> Single Sign on -> Edit Settings -> Select Azure) and click on Continue.
Click on Save to enable SSO via Azure.
Click on Done and choose to inform the teammates about the new login process.

Login with SSO

Select Login using SSO on the login screen.

Enter your email address in Work Email.

Frequently Faced Issues

1. Facing an issue while logging in?

Screenshot_2019-10-16_at_2.55.10_PM.png

Authentication Failed?

This generally happens when the SAML authentication with the Identity Provider fails. Please reach out to your identity provider for details.

Persistent Error

MoEngage supports the admin login using an email id - password combination. The Admin can go back to the Single Sign On screen (Go to settings > Security Settings) and disable SSO.

2. Facing an issue while uploading the config file?

This generally happens when the uploaded XML file is invalid. Try again with the correct XML file. If the issue persists, check with your identity provider.

3. Which identity providers are supported by MoEngage?

MoEngage supports all identity providers (IDPs) that support SAML 2.0.

4. Can different identity providers be used for different workspaces?

Yes, you can configure different identity providers for different workspaces. For example, you can use Okta to configure SSO for one workspace and Google for another.

Note: You can also have different identity providers for test and live environments.

5. Can same identity provider be used for different workspaces?

Yes, you can configure the same identity provider for different workspaces.

6. Which identity provider (in case of multiple IDPs) will the user be redirected to after logging in?

The user will be redirected to the IDP associated with the most recent workspace that was used by them before the last session ended.

7. Is there a test environment using which SSO implementation can be tested?

You can use the test environment to test the SSO setup and verify if everything is working as desired. You will need to setup SSO again on live environment once you have verified it on test.

On the other hand, SSO gets configured to test environment automatically if you configure it on the live environment first.

8. What happens if the user exists in the identity provider’s directory but not in MoEngage?

The user will not be able to log in to MoEngage if the user is not a part of the workspace in which the SSO has been enabled.

9. What happens if the user exists in the identity provider’s directory but does not have access to the SSO workspace linked with MoEngage?

The user will see the Auth Status Failure error on the MoEngage Dashboard while being redirected back from the identity provider.

10. Who can enable/disable SSO for an workspace on MoEngage?

The SSO can only be enabled / disabled / edited by a user with access to Setup & Manage permission under Login Settings.

The user with the necessary permissions can go to Settings -> Login -> Authentication and then select Single Sign On (SSO) Only and perform the necessary action.

11. What happens if the SSO is not enabled for one of the workspaces or if different identity providers have been used for different workspaces?

The user will need to re-authenticate themselves while switching between the workspaces if SSO is not enabled for one of the workspaces or if different identity providers have been used for the workspaces.

12. What happens if the user wants to seamlessly switch between different workspaces after enabling SSO?

The user will need to enforce SSO on all the workspaces with the same identity provider in both Test and Live environments in order to seamlessly switch between different workspaces without re-authenticating.

13. Can we configure SSO to allow a specific set of users to log in using SSO and others to log in with ID and Password?

Once SSO is enabled, only the admins have the option to log in using their MoEngage credentials. All other users must log in through SSO.

14. When using Microsoft Azure, what should be the value of the User Principal Name (UPN) attribute?

UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). The prefix is joined with the suffix using the "@" symbol. For example, "someone@example.com". A UPN must be unique among all security principal objects within a directory. Read more about it here.

15. What are some of the common issues faced by the users?

Here are some of the common issues faced and their resolutions.

Error	Resolution
Incorrect Cluster URL	Ensure that the correct login URL (as per your data center) is being used to log into your MoEngage Dashboard. For more information, refer to Data Centers.
Incorrect Name ID Format	The Name ID Format should be in the format mentioned below: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Missing Single Sign On URL	The Single Sign On URL should be present with a valid value in the SAML metadata file.
NameIDFormat	<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

16. Does two-factor authentication remain enabled even after enabling SSO authentication?

Yes, two-factor authentication remains enabled even after you enable SSO for an workspace.