MachineMetrics supports Single Sign-On (SSO) through OpenID Connect (OIDC), an identity framework built on OAuth 2.0. However, SAML is not supported at this time.
Key Features of SSO with MachineMetrics:
- Improved Security and Convenience: Users log in using their company’s identity provider (e.g., Azure AD), eliminating the need for separate passwords.
- No Passwords After Setup: Once SSO is enabled for a company, existing passwords or Google OAuth logins will no longer work. If SSO is later disabled, previous login methods will resume.
Logging in with SSO
Once SSO is configured, users must exclusively use the Log In with SSO option on the login page. The Log In with Google or password-based options will no longer succeed for these users.
Login Process:
-
Select "Log In with SSO" on the MachineMetrics login page.
-
Enter Your Email Address: On the next screen, input your email to identify your company and redirect you to the appropriate SSO provider.
-
Authenticate with Your Provider:
- If your email matches a company account and the SSO configuration is correct, you’ll be redirected to your identity provider to log in.
- If you’re already authenticated, you may be sent directly into the MachineMetrics app without needing to log in again.
Configuring SSO for Your Company
Once enabled, designated users with the IT Admin role can configure SSO for the company via the Single Sign-On menu in the Settings section.
Setting Up a New SSO Provider:
- Navigate to Settings → Single Sign-On.
-
On the setup page, fill in the following fields:
- SSO Provider Name: A user-friendly name for your provider (useful if managing multiple companies).
- Issuer (Authority URL): A unique URL identifying the provider. This typically also hosts the OIDC configuration endpoint.
- Client ID and Client Secret: Credentials generated by your provider to authenticate MachineMetrics’ requests.
Note: The Client Secret will not be visible after saving.
-
Click Create Provider to save your configuration.
Choosing an Existing Provider:
For companies managing multiple entities, it’s possible to reuse an existing SSO configuration. If an IT Admin manages multiple companies, they’ll have the option to:
- Select an Existing Provider: Reuse a configuration.
- Create a New Provider: Start from scratch.
Updating or Disconnecting a Provider:
- Update Configuration: Any changes to the provider will affect all companies using that provider. Be cautious when updating shared providers.
- Disconnect Provider: This will revert your company to using passwords or Google OAuth. If no other companies use the provider, it will be deleted.
OpenID Connect Requirements
MachineMetrics requires the following scopes from your provider:
openid
email
profile
Specific Provider Notes: Microsoft Entra (Azure AD)
-
Token Configuration: Add the following ID token claims:
email
family_name
given_name
upn
verified_primary_email
If theemail
claim is unavailable, MachineMetrics usesupn
as a fallback.
-
Issuer URL: Ensure the URL ends with
/v2.0
to use Azure’s 2.0 token version.
Recovery Process for IT Admins
If the SSO setup is incorrect or the provider stops working (e.g., an expired Client Secret), all users will be locked out. IT Admins can still recover access:
- On the Log In with SSO screen, click "Trouble logging in?" below the email field.
- Enter your email. If you are an IT Admin, a temporary login link will be emailed to you.
- Use the link to log in, bypassing SSO, and update or disable the SSO provider.
Note: This recovery option is only available to IT Admin accounts. Other roles cannot use this method.
Summary of Best Practices
- Always double-check configuration details, especially Client Secret and Issuer URL.
- Be cautious when updating shared providers to avoid affecting multiple companies.
- Maintain backup IT Admin accounts for recovery.
For further questions, contact MachineMetrics support!
Comments
0 comments
Please sign in to leave a comment.