Mautic uses basic authentication for users, however there is the ability to integrate with a SAML SSO provider.
SAML is a single sign on protocol that allows single sign on and user creation in Mautic using a 3rd party user source called an identity provider (IDP).
To enable SAML support in Mautic, you first need the IDP's metadata xml. This will be provided to you by the IDP. If it is a URL, browse to the URL then save the content into an xml file.
Go to Configuration -> User/Authentication Settings. Then upload this file as the
Identity provider metadata file.
It is recommended that a non-admin role be created to use as the default role for created users. Select this role in the
Default role for created users dropdown.
The IDP may ask for the following settings:
Entity ID - this will be site URL and is displayed at the top of User/Authentication Settings. Copy this exactly as is to the IDP.
Service provider metadata - if a URL is requested, use
https://your-mautic.com/saml/metadata.xml. If a file, then browse to that URL and save the content as an XML file.
Assertion consumer service - Use
Issuer - this should be provided by the IDP but is often configurable. If it is a URL, be sure that the scheme (http:// and https://) are not part of it.
Verify request signatures or a SSL certificate - If the IDP supports encrypting and validating request signatures from Mautic to the IDP, generate a self signed SSL certificate. Upload the certificate and private key through Mautic's Configuration -> User/Authentication Settings under the
Use a custom X.509 certificate and private key to secure communication between Mautic and the IDP. section. Then upload the certificate to the IDP.
Custom attributes - Mautic requires 3 custom attributes that must be included in the IDP responses for the user email, first name and last name. Username is also supported but is optional. Configure the attribute names used by the IDP in Mautic's Configuration -> User/Authentication Settings under the
Enter the names of the attributes the configured IDP uses for the following Mautic user fields. section.
Once Mautic is configured with the IDP and the IDP with Mautic, Mautic will by default redirect logins to the IDP's login page.
/s/login is still available for direct logins but will need to be browsed to directly.
Login to the IDP where you'll be redirected back to Mautic. If the exchange is successful, the user will be created, if it does not already exist, and logged in.
To disable SAML, simply click the
Remove link to the right of the
Identity provider metadata file label.