This is a premium product add-on and must be purchased and configured through your Account Manager.
The MANTL Console supports Single Sign-On (SSO) via the OpenId Connect (OIDC) protocol.
Financial institutions who use an authorization server or service to manage the digital identities of their employees can easily integrate with the MANTL Console.
This feature makes it faster for employees to adopt and log in to MANTL, while reducing whirlwind work for your IT admins.
Official OpenID Connect website.
Considerations for Using SSO
- SSO is enabled at the tenant level.
- When SSO is enabled none of your users will be able to log in using an email and password.
- MANTL's UAT and Production environments are independent.
- The SSO feature can be enabled at separate times and will always act as two different Service Providers to your Authorization Server.
- The MANTL Console does not support just-in-time user provisioning within SSO.
- The user must already exist in our system before they can log in.
- For automated user provisioning, refer to User Provisioning via SCIM.
Integration
The remainder of this article dives into the technical aspects of our OIDC implementation to allow for development of custom integrations. If your Identity Provider is Azure AD or Okta please refer to these specific integration articles instead:
Before getting started, your Customer Support Manger (CSM) will provided you with an SSO namespace for your tenant. This value is used within the URLs you'll need to configure you Identity Provider (IdP).
- Initiate URL
https://console.mantl.com/auth/login/sso/{namespace}
https://console.uat.mantl.com/auth/login/sso/{namespace}
- Redirect URL
https://console.mantl.com/auth/login/sso/{namespace}/callback
https://console.uat.mantl.com/auth/login/sso/{namespace}/callback
- Sign-out redirect URL
- This value is static for all tenants
https://console.mantl.com/auth/logout
https://console.uat.mantl.com/auth/logout
Once your IdP is configured, you'll need to send some information back to your CSM before SSO can be enabled for your tenant.
- OAuth Client ID and Secret
- Because the client secret is sensitive information, do not email it anyone.
- Please send these values to your CSM via your preferred secure messaging system.
- The Identity Provider's connection configuration
- OIDC Discovery is the preferred mechanism to configure the Provider.
- It means MANTL only needs to acquire a single URL from you. It also allows the IdP to make changes, e.g. update endpoints, supported algorithms, etc. without needing MANTL to make any changes to our configs.
- Usually, this URL ends with
/.well-known/openid-configuration
- If your IdP does not support Discovery, then we need several values that make up the Issuer’s metadata. Which values are required varies across IdPs, and is out of scope for this article.
- OIDC Discovery is the preferred mechanism to configure the Provider.
- Claim name that identifies the user
- MANTL will use the OIDC auth code flow, which includes hitting the
token
endpoint on the IdP, to get information about the user attempting to login. We need to know which attribute key (claim) should be used to uniquely identify the user within your tenant.
- MANTL will use the OIDC auth code flow, which includes hitting the
- Additional Authorization parameters [Optional]
- Your IdP may require additions to the parameters provided to the authorization endpoint.
- Common examples would be needing the
scope
to vary from the default value of"openid"
, or includingacr_values
.