These are instructions for setting up MessageMedia SSO with Okta. If you use a different Identity Provider and need assistance with configuration, please contact our support team at support@messagemedia.com.
Step 1: Create a new application integration
- Sign in to the Okta portal. On the left navigation pane, go to Applications and then Applications
- To add new application, select Create App Integration
- Select SAML 2.0 within the pop-up window and click next to continue
Step 2: Create SAML Integration
- Within General settings enter the app name “MessageMedia SSO for <Your Company>”
- Add logo (optonal)
- Click next to continue to Configure SAML
- In the Single sign on URL text box, enter the URL: https://hub.messagemedia.com/login/sso
- In the Audience URI (SP Entity ID) text box, enter the MessageMedia Hub URL: https://hub.messagemedia.com
- The Default Relay State can be left blank
- The Name ID format can be left unspecified
- Change Application Username to Email
At the bottom of the page, under “Preview the SAML assertion generated from the information above” click < > Preview the SAML Assertion:
Copy the XML text that appears:
Log in to your MessageMedia account and go to Configuration > Single Sign On (SSO), and paste the XML you downloaded into the IDP metadata XML field:
- Go back to your Okta SAML configuration screen, scroll to the bottom and click next to continue
Step 3: Assign users to MessageMedia
- In the Okta portal, select Enterprise Applications, and then select All applications. In the applications list, select your MessageMedia SSO app
- Under Assignment click the blue Assign button
- Select from Assign to People or Groups for your organisation requirement
Add the relevant Assignment and click Done
SAML SSO settings
Once you've configured SAML SSO for MessageMedia and your IDP, you can further customize the following settings:
- Automatically create accounts on sign in: Enable this if you want to allow all users who can sign in to automatically be added as users to your MessageMedia account (if they aren't already)
- Default user role to be assigned to new users: Sets the user role in MessageMedia for new users created via SSO.
- Enforce SAML: Switching this on means users with email addresses on the configured domain can only sign in using SAML SSO.
Note: Before enforcing SAML, we recommend notifying your organisation that this will be the only way to sign in to MessageMedia going forward, as long as they belong to any workspaces controlled by this SAML configuration.
FAQs
My organisation uses an identity service provider (IDP) that's not in the list the appears in the web portal SSO configuration screen. Will it be supported?
- Please contact support@messagemedia.com with your IDP and we’ll look to add support for additional IDPs shortly.
Does enforcing SAML SSO log out users?
- No, active user sessions stay logged in until they expire. The next time a user needs to log in, they will need to log in with SAML SSO.
Can I still log in to MessageMedia if my identity provider is experiencing an outage?
- If you have Enforce SAML authentication turned on, and your IDP is down you should contact support at support@messagemedia.com and we can turn off “Enforce SAML” to allow administrators and users that existed beforehand to log in in with email again.
What version of SAML does MessageMedia support?
- We currently support SAML v2.0.