m3ter Single Sign-On
The m3ter Single Sign-On (SSO) allows users with federated identities that exist in different Identity Providers (IdPs) to sign into m3ter without having to manually provision new users/identities in m3ter's user pool.
m3ter SSO supports SAML based Identity Providers (IdPs). The SAML 2.0 standard offers an XML-based protocol for the exchange of user security information, such as authentication and authorization details, between an identity provider and service provider. In this way, SAML enables the implementation of web-based SSO across security domains.
To implement SSO, two main steps are required:
Set up your external SAML based Identity Provider application.
Request m3ter Support to create an Identity Provider in m3ter for you.
When SSO has been implemented for your chosen SAML-based IdP, you might have to check how your users will be provisioned.
This topic explains how SSO is implemented in m3ter for your chosen IdP and how to authenticate and log into the m3ter Console when your corporate federated identity has been set up:
Coming Soon! Support for Google SSO is coming soon.
Setting Up an External Identity Provider
Here are the settings you'll need when setting up your external IdP.
SSO URL/Endpoint
This is the Single Sign-On URL/Endpoint where the m3ter application receives the SAML assertion:
https://m3ter.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Audience URI
This is the Entity ID of the m3ter application:
urn:amazon:cognito:sp:us-east-1_90JBvIFUw
Attributes Mappings
The following table gives the mappings between the identity attributes used in the external provider and the ones used by m3ter that must be also configured:
| External IdP Attribute | m3ter Attribute |
|---|---|
| <> | name* |
| <> | email* |
| <> | firstName |
| <> | lastName |
| <> | groups |
Notes:
* means mapping is mandatory.
For
groupsmapping values, use comma-separated format. For example:m3ter-staging-admin, m3ter-prod-read-only
Setting Up an Identity Provider in m3ter
An Identity Provider can be created in m3ter for a single m3ter Organization or for all of the m3ter Organizations you use:
Note: This second step will be done for you by m3ter Support.
Required IdP Details: In order for us to create an Identity Provider for you, please provide the following details:
name- Unique name of IdP.metadataUrl- URL for downloading the SAML metadata.identifiers- Globally unique values of IdP domains. Used to redirect users to corresponding external IdP login page.target- We currently support one IdP per Organization or Customer. Used to set the Organization or Customer:id-OrgIdorCustomerIdtype- One ofORGANIZATIONorCUSTOMER
groupMappings- Used to map groups in the external IdP to regular User Groups in m3ter. Ensures that SSO users belonging to groups in the IdP will be added to corresponding User Groups in m3ter, and inherit the Permission Policies assigned to those m3ter User Groups.
User Provisioning for SSO
Depending on how and when your IdP set up for m3ter SSO was implemented and other factors, such as the possibility of pre-existing m3ter users, you might have to check to ensure your users are properly provisioned for SSO inclusion and have the correct permissions assigned to them. Here are some explanatory notes and recommendations to help with this:
Pre-existing Users. If the user with the given email already exists as a m3ter user, then the federated identity will be attached to the existing user’s profile and the identity will have access to the same Organizations with the same permissions as before and will be allowed to login with both the m3ter credentials or using the external identity provider.
New Users - Provisioning. If the user with the given email does not already exists as a m3ter user, then one of two cases:
IdP was set up for a single Organization. The provisioning process will create a m3ter
Userand anOrgUserhaving no actual permissions for the configured Organization.IdP was set up for a Customer. The provisioning process will create a m3ter
Userand multipleOrgUsershaving no actual permissions for the Organizations belonging to the configured Customer.
New Users - Permissions. As per the previous bullet point, the
OrgUsernow exists in the proper Organizations but can’t do anything because they lack permissions. There are two ways in which you can attach the required Permission Policies to them:Directly. Attach the relevant Permission Policies to the
OrgUser.Via
groupMappings. Ask m3ter Support to set upgroupMappingsat the IdP level so theOrgUseris automatically added to the corresponding m3ter User Groups at each login, hence inheriting the Permission Policies attached to the User Groups they then belong to in the Organization.
Using SSO to Sign Into the m3ter Console
When your corporate federated identity has been set up for SSO, you can use it to authenticate and sign into the m3ter Console.
To authenticate with the platform:
1. Open your browser and enter the URL for the m3ter environment. The m3ter Sign in to your account appears. The default presentation is for User/Password authentication:
2. Instead, select Corporate ID. The sign in adjusts for SSO and Sign in with your corporate ID shows:
3. Enter your federated SSO corporate Email Address to authenticate and gain access to the Console:
If your account has been set up for access to a single Organization, you are taken directly to the m3ter Console Dashboard for the Organization.
If your account had been set up for access to more than one Organization, a Select Organization page opens. Select the Organization you want to access. The meter Console Dashboard for the selected Organization opens.
Important! When you log in to the m3ter platform for the first time, please review our Terms of Service straightaway to ensure you accept them. To review these terms, click the Documentation link at the bottom of the Console's main navigation, and then select Legal.
Next: Service Authentication
Additional Support
Login to the Support portal for additional help and to send questions to our Support team.