SSO (Single Sign-On) Integration

SSO integration has never been easier!

Radka Franova avatar
Written by Radka Franova
Updated over a week ago

Looking to integrate Mo with your existing single sign-on service provider? 🔗 Follow the steps below!

Step 1: Setting Mo up as a provider

You will be required to set 'Mo' up as a custom app with your single sign-on provider. You can use this logo to add to our app listing.

If required, please see the Entity ID and Consume Links, your short-name will be your company name.

Step 2: Providing us with the required Metadata

Once you have set up Mo as a provider, please provide a copy of your metadata file in XML format. This file will contain all the information we need to add you as an SSO Service provider for Mo. We will aim to review your file, and set up and confirm the next steps to you within 3-5 working days of receiving your Metadata.

The following data items are usually held in the metadata file and are required fields when we set up an SSO provider in Mo:

  • IDP URL: This is the URL of your login page that we send the users to

  • IDP entity ID: This is where the assertions come from and must match the issuer in the assertion

  • Name identifier format

  • Security digest method/security signature method: How the encryption of the assertion works, most commonly SHA256

  • IDP certificate: This is your public certificate that you use to encrypt your assertions. We will require to update with a new certificate received from you, if you update this certificate at a fixed cadence i.e. annually

  • User Attribute Mappings: The core user attributes we would require to receive are: something that is the SSO UID, email, forename and surname.

    You will be required to define a unique identifier for a user that maps onto SSO UID, this is usually an employee/payroll ID, that is held both in your active directory and can be matched to a unique ID, that we will be provided for users in your HR data. This attribute should be entirely unique to the user and ideally remain unchanging. If using email address for this attribute, we would require this field to be down-cased to avoid mismatch in casing between the HR data and the active directory.

    Default mappings we have used before are the following, you can name yours in the same way or inform us of the attributes you use, so we can amend the mappings accordingly on our end (Alternatively, we should be able to pull the 'names' you defined from your metadata).

Step 3: Receiving our Metadata Link

Once we have your Metadata, we'll set you up as a service provider our side, and will provide the necessary metadata and consume link to you. You can open the link as a webpage or upload via the service you use to pre-populate provider details if required. This will enable you to verify and finalise the set-up on your end, making sure everything matches.

The links will look like this, and the 'short name' will be relevant to your set-up specifically, usually your company name:

Step 4: Testing

Once we have successfully set up the provider, we will test the link with you by covering the following cases:

  • Log in to Mo via SP (Service Provider) initiated route - logging in via our direct URL/Application on my.mo.work

  • Log in to Mo via an IDP (Identity provider) initiated route - logging in via your internal systems if relevant i.e. by going to the Mo app from within your internal workspace or burger menu

  • Suspend your user account and ensure it doesn’t allow people to login

If you require - we're happy to hold a final debugging call between Mo & your implementation manager. Please note we are unable to debug issues presenting on your end that result from errors in your set-up, as we don't have provider specific expertise, however, we can review any errors we're receiving and provide guidance on what might need correction.

If your question about SSO Integration hasn't been answered, please don't hesitate to get in touch. You can do so by clicking the icon in the bottom right 😊.

Did this answer your question?