Single Sign-On (SSO) allows your team to authenticate using a single identity provider (IDP) (e.g. Okta, Azure, OneLogin...) for your organization. It centralizes the access to multiple accounts through a single profile, eliminating the need to create and maintain multiple accounts/passwords for all each of your team members. This results in easier and more secure access management for your entire organization.
Maze offers SSO as a feature for Organization plan customers who require their team members to log into Maze using their own identity provider.
We support SSO authentication using the WorkOS SSO API.
In this article:
SSO setup
Supported IDPs
Maze supports SSO authentication using the WorkOS SSO API. This allows us to support all major identity providers, including Okta, Google, Azure, ADFS, OneLogin, and more.
You can find the complete list of all supported identity providers in the WorkOS documentation.
Set up SSO for your team
To set up SSO in Maze for the first time, the team owner or a team admin needs to follow these steps:
- Log in to your Maze account.
- Navigate to your Team settings (app.maze.co/team).
- Open the Security tab.
- Click Configure SSO for your team.
- A modal will briefly appear before you're redirected to the WorkOS Admin Portal. If you're not redirected, click Open manually.
- In WorkOS, select the identity provider you want to use with Maze, and follow the guidance to connect your Maze team with your SSO instance. Please note that different IDPs may require specific steps and information to set up the SSO connection. You can find specific instructions for each IDP by going to this page and selecting your IDP from the list.
- Once you're ready, come back to your Maze team settings and refresh the page. The Security tab should now show the details of your SSO configuration. Click Manage SSO configuration to go back to the WorkOS Admin Portal and adjust these settings.
Once SSO is enabled, all team members will receive an email with instructions to log in using SSO.
Edit SSO ID
After enabling SSO for the first time, a unique SSO identifier (SSO ID) will be generated. The team owner or admins can find it in the Security tab in the Team settings (app.maze.co/team?tab=security).
To edit the SSO ID:
- Open the Security tab in the Team settings (app.maze.co/team?tab=security).
- Next to Team SSO ID, click the Edit button.
- Type in the desired SSO ID. This should be a unique identifier. Your SSO ID should contain up to 30 characters, including letters, numbers, dashes, and no spaces.
- When you're ready, click Update my SSO ID.
Make SSO required/optional
The owner or admins of the team have the option to make SSO login mandatory or optional.
If the Required setting is enabled, only the team owner can log in using their email/password credentials, in case the IDP is having issues.
If the Optimal setting is enabled, all members will be able to use either their SSO credentials or their Maze password.
To change these settings:
- Navigate to your Team settings (app.maze.co/team).
- Open the Security tab.
- Scroll down to Team members login.
- To make SSO authentication mandatory, click the toggle Required SSO login. To make SSO authentication optional, click the toggle Optional SSO login.
Member management and access
Add members to an SSO-enabled team
To add people to your SSO-enabled team, first follow the guidance in this article: Inviting people to a team
After accepting the team invite, the new member will be redirected to your identity provider’s login screen (e.g. Okta, OneLogin, Azure, etc.)
Once they successfully enter your identity provider’s credentials and log in, their SSO profile will be linked to their Maze account.
Log in to an SSO-enabled team
For detailed instructions on how to log in to Maze using SSO, you can share this article with your team members: Logging in using SSO
FAQs
Does Maze support SAML-based SSO?
Yes, Maze SSO supports both the SAML and OpenID Connect protocols via the WorkOS SSO API. You can find a list of all supported identity providers in the WorkOS documentation.