Overview
Enterprise Single Sign-On (SSO) allows your organization to integrate mixus with your existing identity management system, enabling users to sign in with their corporate credentials. This streamlines access, improves security, and provides centralized control over user authentication. SSO eliminates password fatigue, reduces security risks, and gives IT administrators complete control over user access to mixus within your organization.How SSO Works
Authentication Flow
- User Access: User attempts to access mixus
- Redirect: System redirects to your organization’s identity provider
- Authentication: User signs in with corporate credentials
- Token Exchange: Identity provider sends authentication token to mixus
- Access Granted: User is automatically signed into mixus
Security Benefits
- Centralized Control: Manage all user access from your identity provider
- Enhanced Security: Leverage your organization’s security policies
- Reduced Attack Surface: Fewer passwords to manage and protect
- Audit Trail: Complete visibility into user access patterns
Supported SSO Standards
🔐 SAML 2.0
Security Assertion Markup Language- Industry-standard for enterprise authentication
- Supports complex attribute mapping
- Works with most enterprise identity providers
- Comprehensive security features
- Encrypted assertions for enhanced security
- Digital signatures for authentication integrity
- Flexible attribute mapping
- Support for group-based provisioning
🔑 OpenID Connect (OIDC)
Modern OAuth 2.0-based Authentication- Simpler configuration than SAML
- JSON-based tokens for easy integration
- Built on proven OAuth 2.0 foundation
- Excellent for cloud-native environments
- Streamlined setup process
- Better mobile and API integration
- Standard claims for user information
- Automatic token refresh capabilities
Supported Identity Providers
Popular Enterprise Providers
Microsoft Platforms- Azure Active Directory (Azure AD)
- Microsoft Entra ID
- Active Directory Federation Services (ADFS)
- Office 365 / Microsoft 365
- Okta
- Auth0
- Ping Identity
- ForgeRock
- OneLogin
- Google Cloud Identity
- Google Workspace SSO
- Chrome Enterprise SSO
- AWS Cognito
- Oracle Identity Cloud Service
- IBM Security Verify
- Custom SAML/OIDC providers
Provider-Specific Features
Each provider offers unique capabilities:- Conditional Access: Location and device-based policies
- Multi-Factor Authentication: Inherit your organization’s MFA requirements
- Group Synchronization: Automatic role assignment based on directory groups
- Just-in-Time Provisioning: Create user accounts automatically
Setting Up SSO
Prerequisites
Organization Requirements- mixus Business or Enterprise plan
- Administrator access to your identity provider
- Valid SSL certificate for your identity provider
- Network connectivity between your IdP and mixus
- SSO login URL from your identity provider
- Entity ID or Issuer information
- Public certificate for signature verification
- User attribute mappings
Configuration Steps
1. Identity Provider Setup
For SAML Providers:- Create new SAML application in your IdP
-
Configure the following URLs:
- ACS URL:
https://app.mixus.ai/sso/saml/callback - Entity ID:
https://app.mixus.ai - Sign-On URL:
https://app.mixus.ai/sso/saml/login
- ACS URL:
-
Set up attribute mappings:
- Email:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - First Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - Last Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Email:
- Register new OIDC client application
- Configure redirect URI:
https://app.mixus.ai/sso/oidc/callback - Set scopes:
openid profile email - Note client ID and client secret
2. mixus Configuration (by request)
SSO is configured by the mixus team via our administrative console. It is not self‑serve yet. Please email security@mixus.ai with your IdP details, and we will:- Register your SAML/OIDC connection
- Exchange metadata/certificates and complete mappings
- Validate and activate SSO for your organization
3. User Provisioning
Automatic Provisioning- Users are created automatically on first sign-in
- User information populated from identity provider
- Group memberships synchronized from directory
- Pre-create user accounts in mixus
- Link accounts using email address matching
- Import users via CSV or API integration
Advanced Features
🔄 Just-in-Time (JIT) Provisioning
Automatic User Creation- New users created automatically on first SSO login
- User attributes populated from identity provider
- Group assignments based on directory membership
- Reduces administrative overhead
👥 Group Synchronization
Directory Integration- Sync organization roles from identity provider groups
- Automatic permission assignment based on group membership
- Regular synchronization to maintain current access
- Support for nested group structures
🎨 Custom Branding
Seamless User Experience- Custom domain for SSO endpoints
- Organization branding on sign-in pages
- Consistent visual experience
- White-label authentication flow
📊 Session Management
Enterprise Session Controls- Inherit session timeout from identity provider
- Single logout (SLO) support
- Concurrent session management
- Device-based session controls
Security Considerations
Best Practices
-
Certificate Management
- Use strong certificates with proper key length
- Regular certificate rotation (annually recommended)
- Secure certificate storage and backup
- Monitor certificate expiration dates
-
Network Security
- Use HTTPS for all SSO communications
- Implement proper firewall rules
- Consider network segmentation for identity services
- Monitor network traffic for anomalies
-
Access Controls
- Implement principle of least privilege
- Regular access reviews and audits
- Conditional access policies where possible
- Multi-factor authentication requirements
Compliance Features
Audit and Monitoring- Complete audit trail of all SSO authentications
- Integration with SIEM systems
- User access reporting
- Failed authentication monitoring
- Minimal data transfer between systems
- Encryption of all transmitted data
- GDPR-compliant data handling
- User consent management
Troubleshooting
Common Issues
SAML Configuration Problems- Verify certificate validity and proper installation
- Check attribute mappings match between systems
- Ensure clock synchronization between servers
- Validate XML formatting in SAML responses
- Verify client ID and secret are correct
- Check redirect URI configuration
- Ensure proper scope configuration
- Validate token signature and expiration
- Check attribute mappings for user information
- Verify group synchronization settings
- Ensure email addresses match between systems
- Review user creation policies
Getting Support
Technical Support- Email: support@mixus.com
- Include detailed error messages and logs
- Provide SSO configuration screenshots
- Share test user account information
- Provider-specific setup guides
- Video tutorials for common configurations
- Best practices and security guidelines
- Sample configuration files
Limitations
Current Limitations
- Custom identity providers require SAML or OIDC compliance
- Some advanced IdP features may not be supported
- Group synchronization frequency limited to hourly updates
- Custom attribute mappings may require enterprise support
Enterprise Features
- Advanced conditional access policies
- Custom user provisioning workflows
- Integration with identity governance systems
- Dedicated SSO support and configuration assistance
Migration and Rollback
Migration Planning
- Phase 1: Coordinate with mixus to configure SSO alongside existing authentication
- Phase 2: Test with pilot group of users
- Phase 3: Gradually migrate all users to SSO
- Phase 4: Disable legacy authentication methods
Rollback Procedures
- Keep existing authentication methods active during transition
- Maintain emergency administrator access
- Document rollback procedures before implementation
- Test rollback procedures in non-production environment
Related Features
- Authentication Methods - Primary sign-in options
- Multi-Factor Authentication - Additional security layers
- Security Overview - Complete security features
- Organization Management - Organization administration
Enterprise SSO provides the security, control, and convenience your organization needs. Contact our SSO specialists to get started with your integration today.