*SAML authentication can only be used by Enterprise Plan subscribers.
Table of Contents
- Organization settings
- Authentication settings for existing users
- Logging in with SAML authentication
- Adding new MagicPod users
- Confirmation of members for which SAML authentication settings are complete
- Making SAML authentication mandatory
1. Organization settings
You can add settings for SAML authentication to be used by that organization from the organization settings screen. (Figure 1)
Figure 1: Enabling SAML authentication
Select "Use (non-SAML authenticated users can be added)" and enter the following information:
- Identity Provider endpoint URL (HTTP Redirect)
- Identity Provider logout URL (HTTP Redirect)
- Identity Provider identifier (essential for Azure AD)
- Certificate of the public key used in the signature of the Identity Provider
1 is used to display the Identify Provider login screen during single sign-in to MagicPod.
2 is a URL for the purpose of logging out of the Identity Provider. This URL is used as a redirect when logging out of MagicPod. In other words, if you log out of MagicPod, you also log out of the Identity Provider. ((This is because, if you log out of MagicPod but remain logged in to the Identity Provider, when you access MagicPod again, single sign-on will be performed, making logging out meaningless. ))
Enter 3 as necessary. For SAML authentication with Azure Active Directory, this field is required.
4 shows the public key of the Identity Provider in text form. In terms of the input content, as long as it can be decoded here, this will not be a problem.
You should be aware that, due to the nature of SAML authentication, the contents of 1, 3 and 4 may be visible to users outside the organization if they enter their email addresses when the single sign-on login screen appears. This is also the case for other Cloud services that support SAML authentication. There is no security issue as long as the correct Identity Provider URL and public key are specified. By using this in combination with source IP address restriction (organizational data), you can hide the contents of 1, 3 and 4 from users outside the organization.
An input example is shown below. (Figure 2) Check with the department in charge, etc., for the actual input details, as these are different for each organization.
Figure 2: Input example
Next, change the user authentication settings. (Individual users can continue to use the previous ID and password authentication/GitHub authentication until the authentication settings are changed)
2. Authentication settings for existing users
First, select “Account settings” from the user menu. (Figure 3)
Figure 3: Account settings
If you do this, you will see an item titled "Authentication Settings" if you are a user of a SAML-enabled organization. If you click "Use SAML Authentication" here, you will be taken to SAML authentication. (Figure 4)
Figure 4: Using SAML authentication
You should be aware that the previous ID and password authentication/GitHub authentication will no longer be available once you choose to switch to SAML authentication. If you want to return to the previous method of authentication, reset your password here. To restore GitHub authentication, you can set it from "Social Accounts" in the user menu after resetting your password. (Figure 5)
Figure 5: Social account
3. Logging in with SAML authentication
Figure 6: Single sign-on screen
4. Adding new MagicPod users
From the organization settings screen, you can add MagicPod users with SAML authentication settings. (Figure 7)
Figure 7: SAML user registration screen
This function is similar to the one that enables you to add members from the Organization Members screen, other than the fact that MagicPod unregistered members can be added as users with SAML authentication.
5. Confirmation of members for which SAML authentication settings are complete
You can check this from the Organization Members screen. The “SAML authenticated user” label shall be displayed for users using the organization’s SAML settings. (Figure 8)
Figure 8: Organization member list and SAML authentication labels
6. Making SAML authentication mandatory
If you have selected "Use (non-SAML authenticated users can be added)" from the pull-down menu for the SAML authentication feature, your organization members will be able to continue using ID/password authentication and GitHub authentication. However, from a management perspective, it may not be ideal for an organization to mix multiple methods of authentication. If that is the case, you can choose “Use (non-SAML authenticated users cannot be added)" from the same folder, to make SAML authentication mandatory. However, if there are non-SAML authenticated users within the organization, you cannot change to “Use (non-SAML authenticated users cannot be added)." We would request that you check non-SAML authenticated members, and inform organization members of the need to migrate to SAML authentication.
- As the MagicPod Identity Provider Server is only accessed when the users login and logout, even if user information is deleted from Identity Provider, users that are already logged in to MagicPod may continue to use the MagicPod service. To deny this user access to MagicPod immediately, delete the user from the MagicPod organization members.
- SAML authentication is not supported on the MagicPodDesktop app. From the Edit test screen, click the “Connect” button to launch MagicPodDesktop.
- Please refer to this article in regard to SAML authentication.