Setup SAML-based SSO Access to MineOS

Enable SSO access to your MineOS account for you and your team through any Identity provider that supports SAML.

Before you start, make sure you have:

  • An account in an IdP that supports SAML authentication

  • A MineOS enterprise account

This article describes how MineOS allows users to authenticate against an external IdP using the Security Assertion Markup Language (SAML) protocol. 

SAML-based federation involves two parties:

An identity provider (IdP): authenticates users and provides to Service Providers an Authentication Assertion if successful.

A service provider (SP): relies on the Identity Provider to authenticate users.
MineOS supports SP-initiated SAML connections and can serve as the service provider for users that are authenticated by different IdPs.

During the login process, workspace teammates will be redirected to the IdP in order to authenticate and then returned to the MineOS portal.

How to create a SAML application:

  1. In order to integrate with a SAML IdP, you will need to create a dedicated Application for MineOS within your SAML IdP. Most of the IdPs will require the following information when creating a new application:
    1. Single sign-on URL: https://mineos-b2b.eu.auth0.com/login/callback
    2. Audience URI (SP Entity ID): skip this for now, it will be provided later
  2. To map the IdP members correctly, the following attributes have to be passed in the SAML connection:

IdP Attribute

MineOS Mapping

Email Address

email

First Name

given_name

Last Name

family_name

 

3. Once the application is created, you'll be provided with metadata, which you will need to send to your customer success manager. Usually, this is shared as one metadata file. In case its not, here are the specific values you need to share with us:
  • X.509 Certificate
  • IdP Sign-in URL
  • Company user domains (i.e. user@domain.com).

4. Your customer success manager will setup the connection and will reply back with the Audience URI (SP Entity ID) so you can complete the setup. This usually has the form of urn:auth0:mineos-b2b:{connection_name}