Contact your Account Manager if you are interested in SSO.
The MANTL Console supports Single Sign-On (SSO) via the OpenId Connect (OIDC) protocol.
Financial institutions who use Duo to manage the digital identities of their employees can easily integrate the MANTL Console as an application in Duo.
This feature makes it faster for employees to adopt and log in to MANTL, while reducing whirlwind work for your IT admins.
Prerequisites
- Enabling SSO on your account will affect all your users immediately in that environment.
- When SSO is enabled, none of your users will be able to log into the MANTL Console with an email address and password, and any previous MFA settings will be ignored.
- Users that attempt to login via an email address will seamlessly redirect through Duo.
- Most financial institutions will add a MANTL app in their Duo account twice, once each for UAT and Production environments.
- As part of adding the application in Duo for your organization, you and your Customer Success or Implementation Manager will exchange a few pieces of information.
- They will provide you with two URLs
- Sign-In Redirect URL e.g., https://console.uat.mantl.com/auth/login/sso/best-bank/callback
- Login URL e.g., https://console.uat.mantl.com/auth/login/sso/best-bank
- They will also provide an access token a this time, if you'll be auto-provisioning.
- You'll send your MANTL contact:
- The email address domain(s) your users may attempt to log in with.
- A client ID, secret, and a URL from the Duo application.
- They will provide you with two URLs
-
Users must be provisioned in MANTL before they can log in. Assuming you're planning on using Duo to automatically provision users as well, it's recommended to have the desired groups in Duo already setup with users before proceeding with this document and plan on also enabling provisioning at the same time.
Supported Features
- Service Provider Initiated Authentication Flow
- Users can log in to MANTL using Duo by navigating to the MANTL Console and providing their email address.
- Instead of typing in their email every time they log in, users can streamline the process by bookmarking the login URL you'll be provided.
- Identity Provider Initiated Authentication Flow
-
Users can log into MANTL using Duo Central.
-
Configuration Steps
- You must be an administrator in your Duo account.
- Navigate to Manage Application page (Left menu, Applications > Applications), and click the "Add Application" button.
-
Search for "generic oidc" and click the "Add" button for the "Generic OIDC Relying Party" tile.
- Rename the application "MANTL" or "MANTL UAT", as appropriate.
- User access should be configured suitably for your organization. "Enable only for permitted groups" is considered best practice.
- From the Metadata session, copy the Client ID, Client Secret, and Discovery URL.
- Send these three values to your MANTL contact.
-
Do not send these values through unencrypted email, Slack, Zendesk, or video conferencing chats.
- In the Relying Party section, set the Sign-In Redirect URLs to the one provided by your contact.
- Use the one ending in "/callback"
- In the OIDC Response section, check the "profile" option and then click the "+ Add Claim" button.
-
Set the IdP attribute to
<Username>and the claim tousername.
-
- Other options in the Policy and Settings sections can be updated as appropriate for your organization, but no other changes are required for MANTL.
- Click the Save button at the bottom of the page.
Duo Central
- Configuring Duo Central for your users is optional, but recommended for organizations with users who have access to this feature.
- Navigate to Duo Central configuration (Left menu, Applications > Duo Central), and click the "Add Tile" button.
- Select Application Tile.
- Select the MANTL application you just created. For the Login URL, use the other URL provided (without "/callback").
- After clicking the "Add tile" button, click the "edit" button for the new tile.
- Download and set the tile logo, then click "Save".
If you plan on