How to Use Single Sign-On in Mezmo (SSO)
Interested in learning how to use Single sign-on in Mezmo? Single sign-on (SSO) is an authentication model designed to let users access different applications, services, and resources using a single set of credentials. Instead of having multiple user accounts for different applications, users are assigned a single centralized account that is used to authenticate with each application. This makes it more convenient for users to authenticate, while also making it easier for IT administrators to manage multiple accounts.
Mezmo, formerly known as LogDNA, supports SSO using the OAuth and SAML protocols. In this guide, we’ll explain how these protocols work in Mezmo, and walk you through the process of setting them up.
What is OAuth?
Strictly speaking, OAuth isn’t a true authentication protocol. It was originally intended for authorization—that is, allowing users to grant applications access to specific account details or resources. For example, Mezmo's GitHub integration uses OAuth to access specific GitHub APIs, such as push and pull events. The result is that Mezmo can perform only a limited subset of actions
—for example, we can’t change your profile information or delete a repository
—but we never see your GitHub password in the process.
Since OAuth permissions are tied to a specific account, providers like Google and Heroku have also started to use OAuth for authentication as well as authorization. The benefit is that these platforms are already in place. In the case of Mezmo, logging in via your Heroku account is as simple as clicking a button, providing your username and password to Heroku, and clicking another button to grant Mezmo access to certain details in your Heroku account. It’s simple, seamless, and requires practically no setup.
What is SAML?
Security Assertion Markup Language (SAML) is a protocol for authenticating users through a central authentication service. Unlike OAuth, SAML was designed for both authentication and authorization. It can not only verify a user’s identity, but it can also grant or restrict access to certain resources.
A SAML interaction involves three parties:
- The user
- The identity provider (or IdP), which is the system that authenticates the user
- The service provider (or SP), which is the application requesting authentication (i.e. Mezmo)
When a user attempts to log into the SP, the SP verifies their identity with the IdP. The IdP responds to the SP with an assertion that verifies the user, the IdP, and whether the user should be given access to the SP. The user will need to log in to the IdP if they haven’t already, but as with OAuth, the SP never sees the user’s credentials.
Because it supports both authentication and authorization, SAML is the more popular choice among large teams and enterprises. However, it’s more complicated to set up, since you must configure each SP to connect to your IdP. SSO providers such as OneLogin, Okta, Bitium, and AuthDigital make this process easier by integrating with many different SPs, and many SPs (including Mezmo) provide interfaces that streamline the setup process.
Setting up OAuth SSO in Mezmo
When using OAuth in Mezmo, most of the hard work is already done for you. You just need to select your OAuth provider from the sign-in page, log in to your provider account, and grant Mezmo access.
Using Okta to Sign Up for Mezmo with a GitHub Account
After you have authorized Mezmo, you will be signed into Mezmo using your OAuth provider account. Note that if you already created a LogDNA account using the sign up page, this process will create a completely separate account.
To make sure other members of your team can join your organization using OAuth, open the Mezmo web app and navigate to Settings > Team > Settings. Make sure “Other OAuth Sign-In” is checked, otherwise members will need to sign in using an account created through Mezmo.
Setting up SAML SSO in Mezmo
Setting up SAML in Mezmo is a more involved process. Before you begin, you will need to sign in to a LogDNA account that was created using either the sign up page or by signing in via OAuth. You can continue to sign into this account after enabling SAML, but we recommend limiting this account to administrative actions and signing in over SAML instead.
Once you are signed into Mezmo, contact us so we can enable SAML for your organization.
Configuring Your Identity Provider
The process of your IdP will vary depending on who your SSO provider is. As an example, we’ll use Okta.
Start by signing into your local Mezmo account and navigate to Settings > Team >Settings. Scroll down to the SAML Configuration section. Here you will find your single sign-on URL (also known as the Assertion Consumer Service, or ACS). Keep this window open, since you will need this when configuring Okta.
In a separate window, sign in to your Okta account and select Applications > Add Application > Create New App. Select Web in the Platform drop-down and SAML 2.0 as the sign on method. On the next screen, enter a name for the app (e.g. “LogDNA”) and click Next. The Configure SAML screen is where you will add your single sign-on URL from Mezmo.
In addition, you will need to add an Audience URI (or SP Entity ID). This is simply logdna-saml/<your logdna="" account="" id="">. You can find your account ID in your browser’s URL bar immediately after the LogDNA domain. For example, when viewing the Manage Team screen, the URL bar will show </your>https://app.mezmo.com/<accountid>/manage/team.</accountid>
Copy these URLs to the appropriate fields in your Okta window. In addition, change the Name ID format to EmailAddress and the application username to Email.
Click Next to continue to the Feedback screen. Select “I’m an Okta customer adding an internal app” and click Finish. Okta will redirect you to the application detail screen. Click the Sign On tab and click the link to download the Identity Provider metadata. Save this XML file to your workstation, since you will need to upload it to Mezmo to finish the integration process.
Return to the Mezmo web app and upload the XML file that you downloaded from Okta. Mezmo will automatically configure itself to use Okta for authentication. Click Save Config to save your settings, and that’s it! You can now sign into Mezmo using your Okta account.
If you want to allow other members of your team to log in using SSO, scroll to the Discoverability section of the SAML configuration screen and toggle the Join feature. You can restrict logins to your SSO account by unchecking Local Sign-In and Other OAuth Sign-in. This prevents users from signing in using an account created through Mezmo or from an OAuth provider like GitHub.