FAQ Submit a request Log in
  1. Moqups Help Center
  2. Working with Moqups
  3. Integrations

Articles in this section

    SAML Single Sign-On

    Also in this section

    SAML Single Sign-On (SSO)

    SSO, or Single Sign-On, allows individuals to use a single set of identifying credentials to sign up and sign on to a variety of different websites and SaaS (Software as a Service) platforms.

    Most people are familiar with SSO from Sign Up with Google, a feature that allows you to use your Google credentials to sign up and log in to many websites, including Moqups.

    Single Sign-On with SAML goes a step further and allows the employees of an organization to use a single set of credentials to log on to a variety of websites and apps they may need for their work.

    SAML (Security Assertion Markup Language) is the open standard that allows identity providers (IDP) like OneLogin, Okta, Microsoft Azure AD or Google to pass authorization credentials to service providers (SP) like Moqups. If you want, you can also configure a Custom SAML single sign-on for IDPs that aren’t on that list.

    Once SAML is enabled for your Moqups account, users can use SSO by simply entering their email at the SAML login. Moqups then authenticates their credentials via the IDP – and they can begin using our app.

    You can also set up automatic provisioning with SCIM (System for Cross-domain Identity Management). SCIM allows IT departments to automate their user identity management process within an IDP. To set up SCIM you will need to generate an API token in Moqups, and then add this to your IDP. You’ll find instructions for each of our supported IDPs below.

    Who Can Use This Feature?
    All Moqups Team and Unlimited accounts can enable SSO by configuring SAML with their IDP.

    To set up a SAML integration, you’ll need Admin privileges for both Moqups and your chosen IDP. 

    Moqups Admins also have the option of requiring their team members to use an SSO option, either via Sign up with Google or one of the SAML providers listed below.

     
    SCIM automatic provisioning can also be set up for Moqups using any of these IDPs.

    OneLogin SAML configuration

    Please follow these steps to configure OneLogin SAML for your Moqups account:

    1. Once signed into OneLogin, select the SSO tab for the Moqups app. 1._OneLogin_SSO_Tab.png
    2. In the Issuer URL field, copy the identity provider metadata. 2._OneLogin_IPM.png
    3. Click here to log into Moqups and go to the Integration tab on your Dashboard’s Account page. 
    4. In the SAML Authentication section of your Integration tab, paste the identity provider metadata URL copied during Step 2 and click the Configure button. Google_SAML_Configure.png
    5. Your configuration is now complete.

    Okta SAML configuration

    Please follow these steps to configure Okta SAML for your Moqups account:

    1. Once signed into Okta, select the SSO tab for the Moqups app. 7._SAML_Okta_Sign_On_Tab.png
    2. Click the Identity Provider metadata link to open a new tab containing the issuer URL 8._SAML_Okta_IPM.png
    3. Copy the URL from the address bar of the tab that opened during Step 2 9._SAML_-_Okta_Copy_URL.png
    4. Click here to log into Moqups and go to the Integration tab on your Dashboard’s Account page.
    5. In the SAML Authentication section of your Integration tab, paste the identity provider metadata URL copied at Step 3 and click the Configure button. Google_SAML_Configure.png
    6. Your configuration is now complete.

    Microsoft Azure AD SAML configuration

    This section provides an overview and the steps required to configure SAML authentication for  Moqups and Microsoft Azure AD.

    Contents

    • Supported Features
    • Requirements
    • Step-by-Step Configuration Instructions

    Supported Features

    The Microsoft Azure/Moqups SAML integration currently supports the following features:

    • SP-initiated SSO
    • IDP-initiated SSO
    • JIT (Just In Time) Provisioning

    Requirements

    SAML authentication is available to Moqups customers on our Unlimited Plan.

    Step-­by-­Step Configuration Instructions

    Within Azure AD, you’ll need to add Moqups from the gallery to your list of managed SaaS apps. Then, within the Moqups app, you’ll need to add Azure’s metadata URL to your Dashboard.

    Please follow these steps:

    1. Sign in to the Azure portal.
    2. Select Azure Active Directory > Enterprise applications+New application
    3. To add a new application, select New application: 15._Azure_New_Application.png
    4. In the Add from the gallery section, type Moqups in the search box.
    5. Select the Moqups app from the results panel. 16._Azure_Moqups_in_app_gallery.png
    6. You should be redirected to the Moqups app within Azure (if not go to Azure Active Directory > Enterprise applications > All applications > Moqups)
    7. Go to Single sign-on: 17._Azure_Open_SSO.png
    8. On the Select a single sign-on method page, select SAML: 18._Azure_SSO_SAML.png
    9. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings: 19._Azure_Edit_Configuration.png
    10. Copy the App Federation Metadata URL: 20._Azure_Add_Meta_Data.png
    11. Log in to Moqups.
    12. Go to https://my.moqups.com/dashboard/account/integrations
    13. Now paste the App Federation Metadata URL copied at Step 10.
    14. Click the Configure button Google_SAML_Configure.png
    15. Your configuration is now complete.

    Google SAML configuration

     
    This SAML integration is not yet available as it’s pending approval from Google. Please contact support@moqups.com for more info.

    This section provides an overview and the steps required to configure SAML authentication for  Moqups and Google.

    Contents

    • Supported Features
    • Configuration Steps
    • Notes

    Supported Features

    The Google/Moqups SAML integration currently supports the following features:

    • SP-initiated SSO
    • IDP-initiated SSO
    • JIT (Just In Time) Provisioning

    Requirements

    SAML authentication is available to Moqups customers on our Unlimited Plan.

    Step-­by-­Step Configuration Instructions

    To configure Moqups’ integration with Google, you’ll  need to add Moqups from the gallery to your list of managed SaaS apps.

    Please follow these steps:

    1. Set up Google as a SAML identity provider (IDP).
    2. From the Admin Console home page, go to Apps > Web and mobile apps.15._NEW_Google_Admin_Console.png
    3. Click Add app > Search for apps.16._NEW_Google_Search_App.png
    4. Enter Moqups in the search field.
    5. In the search results, hover over the Moqups SAML app and click Select.
    6. On the Google Identity Provider details page: Go to Single sign-on and Download the IDP metadata.
    7. Click Finish.
    8. Log in to Moqups.
    9. Go to https://my.moqups.com/dashboard/account/integrations
    10. Now select the Google IDP metadata file you downloaded in Step 6.
      17._NEW_Google_SAML_Configure.png
    11. Click the Configure button
    12. Your configuration is now complete.

    Custom SAML configuration

    If your preferred identity provider doesn’t offer the ability to connect with Moqups, you can use the following information to set up a custom SAML connection.

    Contents

    • Requirements
    • Parameters
    • Considerations
    • Settings
    • Certificates

    Requirements

    SAML authentication is available to Moqups customers on our Unlimited Plan.

    Parameters to configure

    Follow these parameters to configure your custom SAML connection.:

    Assertion Consumer Service URL (ACS URL)

    • The ACS URL to use is: https://api.moqups.com/saml/v2/acs

    EntityID

    • moqups.saml2.sp.eid.gkoAgEAAoICA

    SAML Logout Endpoint

    • Moqups does not support Single Logout or session duration configured in your IDP

    Considerations to keep in mind

    • Moqups supports HTTP REDIRECT binding and HTTP POST binding. You need to configure HTTP POST bindings in the IDP metadata.
    • Your IDP needs to ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to an HTTP 403 page or something similar.

    Settings to include

    NameID (Required)

    • SAML nameID format needs to be of the following email type:
       
      <saml:NameID 
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
          YOURDOMAIN@email.com
      </saml:NameID> 

    First Name Attribute (Optional)

    <saml:Attribute 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
      Name="FirstName">
        <saml:AttributeValue 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
            xsi:type="xs:string">
               FIRST NAME
        </saml:AttributeValue>
    </saml:Attribute>

    Last Name Attribute (Optional)

    <saml:Attribute 
      NameFormat=    "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
      Name="LastName">
        <saml:AttributeValue 
          xmln    s:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="xs:string">
            LAST NAME
        </sam    l:AttributeValue>
    </saml:Attribute>

    Certificates

    • Public Certificate
      • Moqups requires the SAML response to be signed.
      • Your IDP’s metadata needs to include a valid x.509 pem Certificate for Moqups to verify your identity. This is different from your SSL certificate.
     
    Moqups requires that the SAML response is signed.

    Log In to Moqups with SAML/SSO

    Once the SAML integration has been configured, your users can use SSO to log in to Moqups:

    1. Go to https://my.moqups.com/saml-login
    2. Enter your email address
    3. Click Log in

    25._Moqups_Log_In_with_SAML_SSO.png

    Enforce SSO Authentication

    In order to provide an additional layer of security, Moqups admins (team owners) can require all their team members to use an SSO option, either via Google or one of the SAML providers above. 

    Enabling the Enforce SSO Authentication option means that password-only login will be disabled for all team members.

     
    To disable password-only login for your team, your own Admin account must first use an SSO provider: OneLogin SAML, Otka SAML, Azure SAML, Google SAML, or Google Sign Up.

    To enforce SSO authentication for your team: 

    1. Go to the Accounts window of your Dashboard
    2. Click on the Security tab 
    3. In the Enforce SSO Authentication section, set the Enforce SSO Authentication for your team toggle to the ON position.
    4. Confirm your choice by pressing the Continue button in the pop-up.

    Enforce_SSO__1_.png