Mailosaur logo
Mailosaur logo

Configure Single Sign On (SSO) with Mailosaur and Okta

Prerequisites
A hashtag icon

Mailosaur's Okta integration supports authentication via SAML, OpenID Connect (OIDC) and SCIM provisioning (depending on plan level).

Before beginning, ensure that you have:

  • A Mailosaur account with SSO enabled. SSO is available on the Enterprise plan, and as an optional bolt-on to the Professional plan.
  • Access with the role of Account Administrator.

Supported Features
A hashtag icon

  • SP-initiated SSO
  • JIT (Just-In-Time) provisioning
  • SCIM provisioning (Enterprise plan only)

SAML
A hashtag icon

Configuration Steps
A hashtag icon

Follow these steps if you wish to integrate Okta and Mailosaur using SAML. Alternatively, you can configure using OpenID Connect (OIDC).

1. Configuration within Okta
A hashtag icon

  1. Log into your Okta administrative portal.
  2. Click Applications in the left-hand sidebar, and then Browse App Catalog near the top of the resulting page.
  3. Search for "mailosaur" in the search bar, and then click the Mailosaur integration from the results.
  4. Click the Add Integration button to add the Mailosaur integration to your Okta instance.
  5. When the app integration is added to your Okta instance, you will be redirected to the applications assignments page. Click on the Sign On tab then copy the Metadata URL value, you will need this later.

2. Verify your company domain in Mailosaur
A hashtag icon

So that your users can be automatically redirected to Okta if they try to log in via the Mailosaur login page, you need to verify that you own the domain in their email address (for example, if your users used some.person@example.com, you would verify ownership of example.com). To do this:

  1. Log into the Mailosaur Dashboard.
  2. Click Admin (cog icon) in the top-right of the screen, then select Domains.
  3. Click Add Domain and type in the domain that you wish to verify (e.g. example.com)
  4. Leave all other options unchanged, and click Add Domain.
  5. Follow the on-screen instructions to verify that you own this domain (contact our support team if you're unsure how to do this).

3. Setup SSO within Mailosaur
A hashtag icon

  1. If you are not already logged in, then log into the Mailosaur Dashboard.
  2. Click Admin (cog icon) in the top-right of the screen, then select Single Sign-On.
  3. Select your verified domain from the list of domains (see step above if you haven't verified a domain yet).
  4. From the list of Identity providers, choose Okta.
  5. Now fill in the Identity provider (IdP) metadata URL field. The value for this is what you copied above and can be found on the Sign On tab within the Okta administrative portal.
  6. Paste in this value and click Save.

SSO is now configured on your account. You can optionally choose to enable JIT (Just-In-Time) Provisioning, which will automatically add any new users onto your account when they first log into Mailosaur.

You can also make SSO mandatory (however, you must first log in with Okta before you can do this).

Users can now log in via the URL shown on-screen e.g. https://mailosaur.com/sso/{company}

OpenID Connect (OIDC)
A hashtag icon

Configuration Steps
A hashtag icon

Follow these steps if you wish to integrate Okta and Mailosaur using OpenID Connect (OIDC). Alternatively, you can configure using SAML.

  1. Log into your Okta administrative portal.
  2. Click Applications in the left-hand sidebar, and then Browse App Catalog near the top of the resulting page.
  3. Search for "mailosaur" in the search bar, and then click the Mailosaur integration from the results.
  4. Click the Add Integration button to add the Mailosaur integration to your Okta instance.
  5. When the app integration is added to your Okta instance, you will be redirected to the applications assignments page.
  6. On the General tab, make a note of the Client ID that is shown.
  7. Click on the Sign On tab then make a note of the Issuer URL.
  8. Contact support with the Client ID and Issuer URL noted above, so that our team can complete OIDC configuration on our side.
  9. Our team will provide you information on how your users can login.

SCIM
A hashtag icon

Supported Features
A hashtag icon

  • Create users
  • Update user attributes
  • Deactivate users
  • Push groups

For more information on the features listed below, we recommend visiting this glossary from Okta.

Configuration Steps
A hashtag icon

Generate a token for use with SCIM
A hashtag icon

  1. Log into the Mailosaur Dashboard.
  2. Click Admin (cog icon) in the top-right of the screen, then select API keys.
  3. Click Create Key, name the new key SCIM and click Create Key again.
  4. Find the newly-created key and click Reveal Key, copy the revealed value for use later (below).

Configuring provisioning in Okta
A hashtag icon

  1. Log into your Okta administrative portal.
  2. Click Applications in the left-hand sidebar, and navigate into the Mailosaur application that you already have configured (see configuration steps for SAML or OIDC above).
  3. Select the Provisioning tab and check the Configure API Integration box.
  4. Check the Enable API integration checkbox
  5. In the Base URL field enter https://mailosaur.com/api/scim/
  6. Select the Authentication Mode HTTP Header
  7. Paste in the API key that you created in the steps above.
  8. Click Test API Credentials - a success message should appear.
  9. Click Save.
  10. Select To App in the left panel then click Edit.
  11. Enable Create users, Update User Attributes and Deactivate Users, then click Save.

Select users to be provisionned
A hashtag icon

  • The Assignments tab will let you provision your Okta users to Mailosaur.

Sync groups
A hashtag icon

On the Push Groups tab:

  • Select Push Groups, then Find groups by name.
  • Enter the name of your group.
  • Click Save & Add Another.

Known Issues / Troubleshooting
A hashtag icon

Please reach our team at support@mailosaur.com if you encounter any issue.

Previous