Single Sign-On (SSO) allows your team to authenticate using a single identity provider (IDP) (e.g. Okta, Entra ID/Azure AD, OneLogin...) for your organization. It centralizes access to multiple accounts through a single profile, eliminating the need to create and maintain multiple accounts/passwords for all each of your team members. This results in easier and more secure access management for your entire organization.
Maze offers SSO as a feature for Organization plan customers who require their team members to log into Maze using their own identity provider.
We support SSO authentication using the WorkOS SSO API.
In this article:
SSO setup
Supported IDPs
Maze supports SSO authentication using the WorkOS SSO API. This allows us to support all major identity providers, including Okta, Google, Entra ID (formerly Azure AD), AD FS, OneLogin, and more.
You can find the complete list of all supported identity providers, as well as setup instructions for each provider, on the Integrations page of the WorkOS documentation.
Set up SSO for your team
To set up SSO in Maze for the first time, the team owner or a team admin needs to follow these steps:
- Make sure you've used the team selector to switch to your Organization team.
- Navigate to your Team settings (app.maze.co/team).
- Open the Security tab.
- Click Configure SSO for your team.
- A modal will briefly appear before you're redirected to the WorkOS Admin Portal. If you're not redirected, click Open manually.
- In WorkOS, select the identity provider you want to use with Maze, and follow the specific guidance to connect your Maze team with your SSO instance. Please note that different IDPs will require specific steps and information to set up the SSO connection.
- Once you're ready, come back to your Maze team settings and refresh the page. The Security tab should now show the details of your SSO configuration. Click Manage SSO configuration to go back to the WorkOS Admin Portal and adjust these settings.
Once SSO is enabled, all team members will receive an email with instructions to log in using SSO.
Edit SSO ID
After enabling SSO for the first time, a unique SSO identifier (SSO ID) will be generated. The team owner or admins can find it in the Security tab in the Team settings (app.maze.co/team?tab=security).
The team owner/admins will need to share the SSO ID with each of these members, so it can be used to log in using SSO.
To edit the SSO ID:
- Make sure you've used the team selector to switch to your Organization team.
- Open the Security tab in the Team settings (app.maze.co/team?tab=security).
- Next to Team SSO ID, click the Edit button.
- Type in the desired SSO ID. This should be a unique identifier. Your SSO ID should contain up to 30 characters, including letters, numbers, dashes, and no spaces.
- When you're ready, click Update my SSO ID.
your-team
) to pre-populate the identifier during login.Make SSO required/optional
The owner or admins of the team have the option to make SSO login mandatory or optional.
If the Required setting is enabled, no one on the team can log in using their email/password credentials. If this setting is enabled and, for any reason, you run into issues with your IdP, please reach out to our Support team for assistance.
If the Optional setting is enabled, all members will be able to use either their SSO credentials or their Maze password.
To change these settings:
- Make sure you've used the team selector to switch to your Organization team.
- Navigate to your Team settings (app.maze.co/team).
- Open the Security tab.
- Scroll down to Team members login.
- To make SSO authentication mandatory, click the toggle Required SSO login. To make SSO authentication optional, click the toggle Optional SSO login.
Member management and access
Add members to an SSO-enabled team
Auto-provisioning is enabled by default. This means that admins won't need to manually invite each team member to the Maze team after setting up SSO.
To add members to an SSO-enabled team, simply assign the user access to Maze in the identity provider, and make sure to share the organization id with them, as they will need it to log in.
Log in to an SSO-enabled team
For detailed instructions on how to log in to Maze using SSO, you can share this article with your team members: Logging in using SSO
FAQs
Does Maze support SAML-based SSO?
Maze SSO supports both the SAML and OpenID Connect protocols via the WorkOS SSO API. You can find a list of all supported identity providers in the WorkOS documentation.
Which identity providers are supported?
Maze supports SSO authentication using the WorkOS SSO API. This allows us to support all major identity providers, including Okta, Google, Entra ID (formerly Azure AD), AD FS, OneLogin, and more.
You can find the complete list of all supported identity providers, as well as setup instructions for each provider, on the Integrations page of the WorkOS documentation.
Does Maze support auto-provisioning?
Maze supports auto-provisioning on SSO-enforced teams by default.
Where can I find the service provider (SP) metadata?
Setting up SSO in Maze is an entirely self-service process initiated through your Maze team settings. As you go along, you'll get automatic access to the metadata that is relevant to your specific identity provider (IdP).
To get started, follow the steps outlined in this section: Set up SSO for your team
As part of this process, you'll be redirected to our SSO provider, WorkOS, where you'll gather the necessary service provider (SP) metadata to configure your specific IdP. Follow the steps to configure both Maze and your IdP. You'll get automatic access to the metadata needed to configure your specific IdP.
For instance, if you're setting up a generic SAML connection, following the setup steps will provide both the custom ACS URL and SP Metadata links generated for your team specifically. Alternately, if your team is configuring an AD FS connection, you'll be able to download a custom SP metadata file containing the ACS URL, Entity ID, and X.509 Certificate needed to configure AD FS for your team.
The SP metadata needed to configure your IdP is dynamically generated when you initiate the setup process for your team. As a result, it can't be provided in advance, but it'll be readily available as you follow the setup steps.
What attributes need to be included in the SAML response?
The exact attribute mappings depend on the identity provider (IdP) your organization is using. For instance, the expected naming required for a generic Security Assertion Markup Language (SAML) is different from the naming required for Active Directory Federation Services (ADFS).
During the setup steps, you'll see instructions related to the specific IdP you use, as well as the required attribute naming conventions.
The following are the minimum attributes that should be passed:
-
idp_id
: User's unique identifier, assigned by the directory provider. Please note that different directory providers use different ID formats. -
first_name
: User's first name -
last_name
: User's last name -
email
: User's email address
These attributes must be mapped following the setup steps that have been shared in Maze for your specific identity provider.
If you are setting up a generic SAML connection, your SAML response should include id
, email
, firstName
, and lastName
attributes.
If you are setting up a connection for another IdP, you should use the setup steps for your specific identity provider. For more information, please refer to the complete list of all supported identity providers and respective setup instructions on the Integrations page of the WorkOS documentation.
Does Maze support SCIM?
At the moment, Maze doesn’t formally support SCIM.
However, we do support auto-provisioning on SSO-enforced teams by default.
This means that, once you set SSO authentication as an enforced requirement, users can log in with their SSO credentials and join the team linked to that domain automatically without an invitation to the Maze team.
By default, new users join the account with an editor role.
Unfortunately, de-provisioning is not currently supported. Therefore, the admin of your Maze account would need to manually remove users from the team after they’ve been removed from the identity provider.
That said, once a user's access is revoked on the identity provider, they won’t be able to log in to Maze, even if they are not removed from the Maze team.