Single Sign-On

From MyWikis Help Center
(Redirected from SSO)
Jump to navigation Jump to search

Single Sign-On allows organizations to use their own central user account system to act as the authoritative source for user information, authentication, and authorization. MyWikis offers integration for all common SSO protocols and all of the top identity providers. SSO is available for our Quantum, Ultra, Corporate, and VPS plans.

Supported protocols and providers

We support all major SSO protocols, as well as some niche ones:

  • SAML
  • LDAP
  • OAuth 2.0
  • OpenID Connect (OIDC)
  • Shibboleth
  • JWTs
  • Naylor AMS

Major identity providers (IdP) for which we provide support include:

  • Okta
  • Auth0
  • Azure Active Directory (AAD)
  • Amazon Cognito
  • Google Workspace
  • JumpCloud

Adding SSO to your wiki

You can add SSO to your wiki in a few simple steps by following the instructions below.

Don't want to go through the hassle of configuring it on your end? MyWikis can take care of the end-to-end SSO setup process for you at a reasonable price. To inquire about this service, please open a ticket with our support team at mywikis.com/contact.

1. Determine eligibility

SSO is available for wikis on our Quantum, Ultra, Corporate, or VPS plans.

Not on Quantum, Ultra, Corporate, or VPS? To switch plans, please open a ticket with our billing team at mywikis.com/contact.

2. Pick the best SSO protocol

Depending on what options you have available, pick the best protocol available. Follow these steps:

  1. Do you need to assign different user groups to people based on their permissions? If so, pick the first one that you can use:
    1. JWTs
    2. LDAP*
    3. SAML*
  2. Do you have multiple options? If so, pick the first one that you can use:
    1. OpenID Connect
    2. JWTs
    3. OAuth 2.0
    4. LDAP
    5. Shibboleth
    6. Naylor AMS
    7. SAML*
  3. If you only have one valid option, pick that one.
  4. If no valid options exist, please contact our support team at mywikis.com/contact to discuss options on how to proceed, including our custom SSO integration development services.

(* = Additional setup fee will be assessed; see pricing below.)

Using an identity provider and not sure which ones they support? Here's our recommendation for each major provider:

  • Okta: OpenID Connect
  • Azure AD: OpenID Connect
  • Amazon Cognito: OpenID Connect
  • Google Workspace: SAML
  • JumpCloud: LDAP is preferable, otherwise SAML

3. Select a package

For personal plans, standard SSO setup is available at no additional cost. Depending on the complexity of the setup, a fee may be assessed. Some SSO protocols are easier than others to set up. For more complex configurations, a one-time fee is assessed and will provide you expert guidance and one-on-one support for configuration.

For business plans, SSO setup may require a one-time fee, but this can be waived depending on several factors, including paying annually instead of monthly. (Ask us for details.)

All of the below fees are one-time only and won't repeat. 😃

Setup fees for different SSO protocols

Fees for authentication only vs. both authentication and authorization differ because of the additional complexity associated with configuring authorization.

  • Authentication only: all users can log in as long as the SSO system has an account for them.
  • Authentication + Authorization: only some SSO users can log in to the wiki and/or SSO users are assigned different user rights/user groups based on the directory groups to which they belong.
Fee schedule (for personal plans only)
SSO protocol Identity provider (IdP) Additional fee
Authentication only Authentication + Authorization
JWT Any $0 $150 (waived for simple requests)
OpenID Connect Azure Active Directory (AAD) $0 N/A
All other mainstream services $25 Ask us
All others $50 Ask us
SAML Google Workspace $0 $150 (waived for simple requests)
All others $100 $250
OAuth 2.0 Any $0 Ask us
LDAP Any $0 $150 (waived for simple requests)
Shibboleth Any $0 $150 (waived for simple requests)
Naylor AMS Naylor $0 N/A
Fee schedule (for business plans)
SSO protocol Identity provider (IdP) Additional fee
Authentication only Authentication + Authorization
JWT Any $200 Ask us
OpenID Connect Azure Active Directory (AAD) $100 N/A
All other mainstream services $200 Ask us
All others $500 Ask us
SAML Google Workspace $200 Ask us
All others $400 Ask us
OAuth 2.0 Any $200 Ask us
LDAP Any $200 Ask us
Shibboleth Any $500 Ask us
Naylor AMS Naylor $0 N/A

All fees in USD. Fees in € and £ are 1:1 to the respective USD price. Each fee is for configuring one wiki. Bulk discounts may apply; contact our sales team for more details.

Expedited setup

For expedited SSO setup, please contact our support team (current clients) or sales team (future clients). Depending on your deadline and complexity, we will provide you a quote with appropriate pricing.

Additional fees

SSO configuration can vary widely in difficulty. Some are very easy, others are extremely complicated. The above rates should be treated as guidelines. MyWikis reserves the right to adjust pricing to accurately reflect individual circumstances and appropriately account for labor costs.

4. Prepare for SSO setup

We will need a test account on your SSO instance provided by you. Without a test account, we cannot finish setting up your SSO integration.

Please provide this information to us when requesting SSO configuration.

5. Configure SSO

Based on your provider and/or protocol, follow the instructions and send the information requested to us:

Azure Active Directory (AAD)

These instructions apply for both OpenID Connect and SAML. We highly recommend using OpenID Connect when possible because it's lightweight and is the less expensive option to configure.

  1. In the Azure Portal or Microsoft Entra, go to "Active Directory". On the left sidebar, under the "Manage" section, press "App registrations".
  2. On the top bar, press "New registration" and create your application.
  3. Under the application, on the left panel, press "Add new platform" and select "Web".
  4. Under "Configure Web":
    1. Provide redirect URI: https://[wikiid].mywikis.wiki/wiki/Special:PluggableAuthLogin
    2. Check the "ID Token" box.
  5. You'll probably want to check "Accounts in this org directory only"
  6. Provide the redirect URI: https://[wikiid].mywikis.wiki/wiki/Special:PluggableAuthLogin
  7. Provide the reply URL: https://[wikiid].mywikis.wiki/simplesaml/module.php/saml/sp/saml2-acs.php/azuread-[wikiid]
  8. Press save on the top bar of the Azure Portal or Microsoft Entra.
  9. In the new app, go to "Certificates and secrets" and create a new client secret
  10. Provide to MyWikis the application (client) ID, directory (tenant) ID, and secret from the application (NOTE: please send us the secret, not the secret ID! We do not need the secret ID at all. You might want to use it for auditing purposes if you decide to keep this secret in an Azure Key Vault.)
  11. SAML only: Download the federation metadata XML and send it to us

Google Workspace

Note: If you want to allow ALL Google accounts to log in to your wiki, not just ones in your Google Workspace, please contact support and ask for the GoogleLogin extension to be installed. You won't need to follow these instructions. Google Workspace users, please keep reading.

You will want to follow the instructions located on Google's documentation: https://support.google.com/a/answer/6087519

When Google says "get this info from your administrator", here is what you give them:

  1. Choose Download IdP metadata over Copy the SSO URL, entity ID, and certificate
  2. Take the XML file you are given, GoogleIDPMetadata.xml, and provide it to us, by uploading it to your ticket
  3. Your ACS URL will be provided by us, in the format of https://[wikiid].mywikis.wiki/simplesaml/module.php/saml/sp/saml2-acs.php/googleworkspace-[wikiid]
  4. Your entity ID will be provided by us, in the format of https://[wikiid].mywikis.wiki/simplesaml/module.php/saml/sp/metadata.php/googleworkspace-[wikiid]
  5. The start URL should be: https://[wikiid].mywikis.wiki/wiki/Special:PluggableAuthLogin
  6. For the SAML attribute mapping, add three attributes exactly as shown below (case sensitive and do not include spaces - do not replace these values with your personal name or email address): First name -> "FirstName" Last name -> "LastName" Primary email -> "Email"

JumpCloud

  1. First, open a ticket with us about installing SSO on your wiki. Tell us you're using JumpCloud, and ask us for our SP metadata XML file.
  2. Once you have the metadata XML file from us, go to the JumpCloud admin console.
  3. From the JumpCloud admin console, click on the SSO section on the left bar. Press the green + sign and add a "Custom SAML Integration".
  4. Under "Single Sign-On Configuration", first upload the XML file we gave you by clicking "Upload Metadata", then put the following values
    1. IdP Entity ID: jumpcloud-mywikis-WIKI_ID (where WIKI_ID is your wiki ID)
    2. SAMLSubject NameID: username
    3. SAMLSubject NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
    4. Signature algorithm: RSA-SHA256
    5. Default RelayState: https://WIKI_ID.mywikis.wiki/wiki/Main_Page (where WIKI_ID is your wiki ID)
    6. Login URL: https://WIKI_ID.mywikis.wiki/wiki/Special:PluggableAuthLogin (where WIKI_ID is your wiki ID)
    7. IdP URL: https://sso.jumpcloud.com/saml2/mywikisWIKI_ID (where WIKI_ID is your wiki ID)
    8. Don't check any of the checkboxes, except for "include group attribute". Once you check it, type "Groups" into the textbox that appears.
  5. For the SAML attribute mapping, add four attributes exactly as shown below (case sensitive and do not include spaces or double quotes - do not replace these values with your personal name or email address):
    1. Format: Service Provider
    2. Attribute Name <- JumpCloud
    3. Attribute Name
    4. "FirstName" <- firstname
    5. "LastName" <- lastname
    6. "Email" <- email
    7. "Username" <- username
  6. Press the green "Activate" button at the bottom. Then, you'll be sent back to your list of SSO integrations. Click the service you just created and go back to the "Single Sign-On Configuration". Under JumpCloud metadata, click the "Export Metadata" file.
  7. Go to the "User Groups" tab and be sure to enable the user groups you want to be able to use this SSO integration. (Note: It cannot be "All Users", it must be a specific group.)
  8. Give this metadata file to us on the support ticket.

Troubleshooting

My wiki’s SSO suddenly stopped working in recent days. When someone attempts to log in, they see an error message saying “Fatal error authenticating user”.
This most likely indicates your SAML certificate or OpenID secret has expired. Please follow the above steps to recreate your certificate/secret, open a ticket on the MyWikis Client Panel, and send us the new certificate/secret. We will replace the secret as soon as we can.