Skip to main content

Setting up SSO for your team

Laura Cunha
  • Updated

Single Sign-On (SSO) allows your team to authenticate using a single identity provider (IDP) (e.g. Okta, Azure, OneLogin...) for your organization. It centralizes access to multiple accounts through a single profile, eliminating the need to create and maintain multiple accounts/passwords for all each of your team members. This results in easier and more secure access management for your entire organization.

Maze offers SSO as a feature for Organization plan customers who require their team members to log into Maze using their own identity provider.

We support SSO authentication using the WorkOS SSO API.

In this article:

SSO setup

Supported IDPs

Maze supports SSO authentication using the WorkOS SSO API. This allows us to support all major identity providers, including Okta, Google, Azure, AD FS, OneLogin, and more.

You can find the complete list of all supported identity providers, as well as setup instructions for each provider, on the Integrations page of the WorkOS documentation.

Set up SSO for your team

Only the team owner and admins can view/edit SSO settings in Maze.

To set up SSO in Maze for the first time, the team owner or a team admin needs to follow these steps:

  1. Log in to your Maze account.
  2. Make sure you've used the team selector to switch to your Organization team.
  3. Navigate to your Team settings (app.maze.co/team).
  4. Open the Security tab.
  5. Click Configure SSO for your team.
    maze-team-settings-sso-not-enabled.png
  6. A modal will briefly appear before you're redirected to the WorkOS Admin Portal. If you're not redirected, click Open manually.
    maze-team-settings-sso-workos-redirect.png
  7. In WorkOS, select the identity provider you want to use with Maze, and follow the guidance to connect your Maze team with your SSO instance. Please note that different IDPs may require specific steps and information to set up the SSO connection. You can find specific instructions for each IDP by going to this page and selecting your IDP from the list.
  8. Once you're ready, come back to your Maze team settings and refresh the page. The Security tab should now show the details of your SSO configuration. Click Manage SSO configuration to go back to the WorkOS Admin Portal and adjust these settings.
    maze-team-settings-sso-enabled.png

Once SSO is enabled, all team members will receive an email with instructions to log in using SSO.

Edit SSO ID

After enabling SSO for the first time, a unique SSO identifier (SSO ID) will be generated. The team owner or admins can find it in the Security tab in the Team settings (app.maze.co/team?tab=security).

The team owner/admins will need to share the SSO ID with each of these members, so it can be used to log in using SSO.

After updating the SSO ID, don't forget to share the updated ID with your team members, as they will need it in order to be able to log in.

To edit the SSO ID:

  1. Make sure you've used the team selector to switch to your Organization team.
  2. Open the Security tab in the Team settings (app.maze.co/team?tab=security).
  3. Next to Team SSO ID, click the Edit button.
    maze-team-settings-edit-sso-id.png
  4. Type in the desired SSO ID. This should be a unique identifier. Your SSO ID should contain up to 30 characters, including letters, numbers, dashes, and no spaces.
  5. When you're ready, click Update my SSO ID.
    maze-team-settings-enter-new-sso-id.png
You can append your team's identifier to the SSO login URL (e.g. https://app.maze.co/login-sso/your-team) to pre-populate the identifier during login.

Make SSO required/optional

The owner or admins of the team have the option to make SSO login mandatory or optional.

If the Required setting is enabled, only the team owner can log in using their email/password credentials, in case the IDP is having issues.

If the Optional setting is enabled, all members will be able to use either their SSO credentials or their Maze password.

To change these settings:

  1. Make sure you've used the team selector to switch to your Organization team.
  2. Navigate to your Team settings (app.maze.co/team).
  3. Open the Security tab.
  4. Scroll down to Team members login.
  5. To make SSO authentication mandatory, click the toggle Required SSO login. To make SSO authentication optional, click the toggle Optional SSO login.
    maze-team-settings-sso-optional-or-mandatory.png
If the required/optional toggle is completely disabled, that means you're not currently logged in to the team using SSO. Logging out and then logging back in using SSO will make this toggle available again.

Member management and access

Add members to an SSO-enabled team

Auto-provisioning is enabled by default. This means that admins won't need to manually invite each team member to the Maze team after setting up SSO.

To add members to an SSO-enabled team, simply assign the user access to Maze in the identity provider, and make sure to share the organization id with them, as they will need it to log in.

Log in to an SSO-enabled team

For detailed instructions on how to log in to Maze using SSO, you can share this article with your team members: Logging in using SSO

FAQs

Does Maze support SAML-based SSO?

Maze SSO supports both the SAML and OpenID Connect protocols via the WorkOS SSO API. You can find a list of all supported identity providers in the WorkOS documentation.

Which identity providers are supported?

Maze supports SSO authentication using the WorkOS SSO API. This allows us to support all major identity providers, including Okta, Google, Azure, AD FS, OneLogin, and more.

You can find the complete list of all supported identity providers, as well as setup instructions for each provider, on the Integrations page of the WorkOS documentation.

Does Maze support auto-provisioning?

Maze supports auto-provisioning on SSO-enforced teams by default.

Where can I find the service provider (SP) metadata?

Setting up SSO in Maze is an entirely self-service process initiated through your Maze team settings (app.maze.co/team). As you go along, you'll get automatic access to the metadata that is relevant to your specific identity provider (IdP).

To get started, follow the steps outlined in this section: Set up SSO for your team. As part of this process, you'll be redirected to our SSO provider, WorkOS, where you'll gather the necessary service provider (SP) metadata to configure your specific IdP. Follow the steps to configure both Maze and your IdP. You'll get automatic access to the metadata needed to configure your specific IdP.

For instance, if you're setting up a generic SAML connection, following the setup steps will provide both the custom ACS URL and SP Metadata links generated for your team specifically. Alternately, if your team is configuring an AD FS connection, you'll be able to download a custom SP metadata file containing the ACS URL, Entity ID, and X.509 Certificate needed to configure AD FS for your team.

The SP metadata needed to configure your IdP is dynamically generated when you initiate the setup process for your team. As a result, it can't be provided in advance, but it'll be readily available as you follow the setup steps.

Does Maze support SCIM?

At the moment, Maze doesn’t formally support SCIM. 

However, we do support auto-provisioning on SSO-enforced teams by default.

This means that, once you set SSO authentication as an enforced requirement, users can log in with their SSO credentials and join the team linked to that domain automatically without an invitation to the Maze team.

By default, new users join the account with an editor role.

Unfortunately, de-provisioning is not currently supported. Therefore, the admin of your Maze account would need to manually remove users from the team after they’ve been removed from the identity provider.

That said, once a user's access is revoked on the identity provider, they won’t be able to log in to Maze, even if they are not removed from the Maze team.

Related articles