How do I set up an SSO profile?

Mawqoot supports Single Sign-On (SSO) using OpenID Connect (OIDC) protocol, allowing your employees to log in securely through your organization’s identity provider (IdP).
This article explains how to configure SSO for your organization account.

Why SSO?

1. Secure and centralized authentication.

2. No need for additional passwords. Employees can sign-in using their business authentication.

3. New accounts are created automatically for newly signed-in users

Create SSO profile

1. From sidebar, click on settings, then click on SSO.

2. Click on create SSO profile to create new SSO profile.

3. Register Mawqoot as a client in your identity provider using the following integration configurations:

4. Once the app is registered, your IdP will generate:

• Client ID

• Client Secret

• Metadata URL (well-known configuration URL)

5. Enter the identity provider configuration details:

   1. Name*: A descriptive name for your SSO configuration.
      Example: MyCompany IdP

   2. Domain*
      Your organization’s email domain. This will be used to match employees to the correct SSO provider.
      Example: company.com

   3. Metadata URL
      Identity provider public OIDC configurations metadata URL
      Example:
      https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
      If not available, you can uncheck the box and enter fields manually:

      1. Issuer
         The OIDC issuer URL, typically the base URL of your identity provider.
         Example: https://idp.example.com

      2. Authorization Endpoint
         The authorization endpoint where users are redirected to sign in using their credentials.

         Example: https://idp.example.com/oidc/authorize

      3. Token Endpoint
         The token endpoint used to exchange authorization codes for access tokens.
         Example: https://idp.example.com/oidc/token

      4. JWKS URI
         The JWKS endpoint providing public keys for verifying JWT signatures.

         Example: https://idp.example.com/.well-known/jwks.json

   4. Client ID*
      Client identifier registered with your identity provider.

   5. Client Secret*
      Client secret registered with your identity provider.

After completing the fields, click the save button.

Once saved, SSO profile will be reviewed, and you may be contacted before it is enabled. If the profile is valid, SSO will be activated for your domain.

Managing SSO profiles

• You can create, update, or disable your SSO profiles from the same SSO settings page.

• You can maintain multiple configurations if your company uses more than one domain.

Disabling SSO profiles impacts only new sign-ins.