/Managing Your Account

Single sign-on

Secure the Mailosaur Dashboard using your organisation’s SAML or OpenID Connect Identity Provider.

What is SSO?

Single sign-on (SSO) is an authentication scheme that allows customers to mandate sign-in requirements and team member access to systems like the Mailosaur Dashboard.

Mailosaur allows users to log in via Google, GitHub and Microsoft authentication, but also supports Enterprise SSO providers via Security Assertion Markup Language (SAML) and OpenID Connect (OIDC), allowing authentication and team member account creation to be deferred to an Identity Provider (IdP) like Okta, AzureAD, Ping Identity and more.

Benefits of SSO

Using SSO to authenticate to the Mailosaur Dashboard has two main benefits:

  • Security improvements
    • Allow team members to access the Dashboard without needing to create a password.
    • Leverage authentication decisions defined through an IdP, such as password policies and mandating two-factor authentication.
    • Configure your account to mandate SSO for all team members.
  • Easily manage access
    • Allow new team members to instantly sign in to the Dashboard using Just-in-Time account provisioning.
    • Revoke Dashboard access as needed, such as when a user leaves your organisation.
    • Manage users, teams and team membership with SCIM.

Setting up Enterprise SSO (SAML or OpenID Connect)

What we need from you

If you’re using a SAML-based provider, then all our team need is the metadata URL for your identity provider (e.g. https://example.com/metadata/idp.xml). However, if you can’t find this, simply send us the entity ID, SSO/redirect URL and certificate.

If you’re using an OpenID Connect-based provider, we just need the client ID and issuer URL.

What you need from us

If you’re using SAML, you’ll need to set a ‘Single sign on URL’ (or recipient/destination URL), which is https://mailosaur.com/__/auth/handler. You will also need to set the ‘Audience URI’ (or entity ID) for the Mailosaur service, which is https://id.mailosaur.com/saml.

For OpenID Connect, you’ll need the ‘Authorization Callback URL (ACS)’ for Mailosaur, which is https://mailosaur.com/__/auth/handler.

Enforcing single sign-on

When we first set up Enterprise SSO for you, it will be configured as optional, which means your users can still log in via another mechansim (e.g. their own username/password). Once you are happy with the SSO configuration, just let our team know and we’ll make SSO mandatory for your account.

Just-in-time (JIT) provisioning

Mailosaur supports just-in-time (JIT) provisioning of users. When enabled, whenever a user visits Mailosaur for the first time, we’ll add them to your account, as long as they are authorised by your identity provider. This saves times when adding new users; as you just need to grant them access to Mailosaur within your organisation’s IT systems.

When someone no longer requires Mailosaur access, blocking them via your SSO provider will immediate prevent them from logging in, but you’ll also want to log into Mailosaur and delete their user record, to free up a seat on your account. You do not need to do this manual step if you have SCIM enabled.

SCIM

SCIM (System for Cross-domain Identity Management) allows for the advanced management of users and teams. It can be used instead of JIT to provision new users, but moreover can also create teams, assign users to teams, and delete users when they leave your organisation.

SCIM is available to Enterprise plan customers, just speak to the team to learn more.