Single sign-on (SSO) eliminates the need for users to keep up with a separate password for Momentus Elite by allowing them to authenticate through their organization's identity provider. Once a user has authenticated through their identity provider, SSO is able to use that information to authenticate Elite.
For more information about SSO, including technical requirements, please see Application Authentication and Security.
Once the feature has been enabled, a System Admin will need to configure Elite to connect to their identity provider before users will be able to authenticate via SSO. You will need access to your identity provider in order to configure SSO.
The email address used in the SSO authentication (the "email claim" from your Identity Provider) must match the email address stored for the user in Momentus Elite. If the email claim does not match, the user will not be able to log in via SSO, even if all other configuration steps are correct. We often see incorrect configurations for this, so be sure to check your settings:
- Go into your Identity Provider (IDP) and find the application settings configured for Momentus Elite (the Service Provider).
- Update the Claim. Check the user attributes or "claims" being sent to Momentus Elite.
- Set the Email Claim. The Name ID (or email claim) must be explicitly set to use the following exact URI:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. This URI ensures that when your system sends us the user's login information, it uses the email address as the unique identifier that Elite expects.
To configure SSO in Elite:
- Click on your name in the upper left corner and select System Admin to access the Admin console.
- Click Single Sign-on.
- Click the edit pencil icon by Service Provider Settings.
- In the Edit Single Sign-on slider, select your Identity Provider.
- If your identity provider is not listed, select Other and add the Identity Provider Name. This name cannot have any spaces in it! If you added a name with spaces, please contact us.
- Copy and paste the Federation Metadata URL from your Identity Provider, or select Upload From File. Upload the file by clicking Add Files or by dragging and dropping the document into the box.
- Click Save.
- Click the assignment clipboard icon next to each setting and paste into the appropriate location in your system.
-
Click Test Login Url to test the configuration.
For the test to work properly, you may need to access the Test Login Url link from a new incognito browser window. - If your test was successful, click Enforce SSO.