Single Sign On (SSO)

  • 3 minute(s) read
Prev Next

Setting up SSO for Maverics enables you and other users invited to your account to log into Maverics using the Enterprise SSO option. Once SSO has been set up for your account, new users must be invited to the account by the owner.

Additionally, users within the same email domain (for example, user1@yourdomain.io and user2@yourdomain.io) must sign into Maverics using the Enterprise SSO login button. If they attempt to log in using other social sign-in methods, they will encounter a warning to sign in with Enterprise SSO.

Prerequisites

  • You must be the owner of your account.

  • Configure OIDC: You must have administrative access to your identity provider.

    • IDP must return email, given_name, and family_name claims

    • Users are assigned to the app in your IDP

  • Verify Domains: You must have administrative access to the DNS settings of your domain.

Configure OIDC connection

Maverics Console supports an OIDC connection with any identity provider.

Your provider must return the email, given_name and family_name claims.

Steps:

  1. Click your email address in the upper right corner of the screen and click Accounts.

  2. Click the account name you'd like to edit.

  3. Click the Single Sign On Settings button.

  4. Provide the following information:

    • Issuer URL: the URL of your identity provider.

      • Okta: https://<your-okta-tenant>.okta.com/oauth2/default

      • Entra: https://login.microsoftonline.com/<your-tenant-ID>/v2.0

    • Client ID: the client ID of the application you set up in your identity provider

    • Client Secret: the client secret of the application set up in your identity provider

  5. Click Save.

  6. Copy the Redirect URI that populates, and enter it in the settings of your identity provider.

  7. Proceed to the Domains tab and see the instructions below.

IDP Specific Guides

Verify Domains

In the Single Sign On Settings window, the Domains tab lists all domains you've configured with verification and status indicators.

  1. In the Domains tab, enter your domain name in the text box and click the plus (+) sign.

  2. Copy the name/host/alias that populates. Add this value to the DNS settings of your domain.

  3. In the DNS settings of your domain, add a new TXT record. Copy the value from Maverics and paste this into your DNS settings.

  4. Click Save.

  5. Maverics will attempt verification with your DNS every 30 seconds, however domain verification may take up to 48 hours.

Enable Domains

  1. Once the domain has been validated, it will appear in the Domains list with a toggle switch. After validation, the domain is disabled by default. You must enable SSO for a domain by toggling the switch to the On position.

  2. You can disable SSO for the domain by toggling the switch back to the Off position. Use this feature with caution.

When a domain is enabled in SSO, users within the same email domain (for example, user1@yourdomain.io and user2@yourdomain.io) must sign into Maverics using the Enterprise SSO login button. If they attempt to log in using other social sign-in methods, they will encounter a warning to sign in with Enterprise SSO.

If a domain is disabled, users who have already accessed Maverics with Enterprise SSO will be prompted to log in with another social sign-in method.

You can also delete a domain using the trash can icon; however, if you want to use this domain again in the future, you will need to re-enter the details and re-verify the domain.

Troubleshooting

Q: What do I do if my domain does not validate?

If your domain does not validate double check the values. The name must be _strata, record type is TXT, and the value must be copied correctly into your DNS

Q: What do I do if I see a sign in error?

If you see the error “Internal error during authentication flow,” this is likely an issue with your SSO setup.

Issuer URL - For the issuer URL field in the Maverics SSO setup, verify that you input the issuer url and not the well-known URL for the registered app.

  • Issuer URL: the URL of your identity provider.

    • Okta: https://<your-okta-tenant>.okta.com/oauth2/default

    • Entra: https://login.microsoftonline.com/<your-tenant-ID>/v2.0

Missing Claims - Verify that your identity provider is sending correct claims in the response — email, given_name, family_name.

User app permissions - In your IDP, verify that the users have permission to use the app in your IDP

Missing user claims - In your IDP, verify that the users profiles record includes all of the required claims. — email, given_name, family_name.

Related articles