m3ter Single Sign-On

The m3ter Single Sign-On (SSO) allows users with federated identities that exist in different Identity Providers (IdPs) to sign into m3ter without having to manually provision new users/identities in m3ter's user pool.

m3ter SSO supports SAML based Identity Providers (IdPs). The SAML 2.0 standard offers an XML-based protocol for the exchange of user security information, such as authentication and authorization details, between an identity provider and service provider. In this way, SAML enables the implementation of web-based SSO across security domains.

To implement SSO, two main steps are required:

  • Set up your external SAML based Identity Provider application.

  • Request m3ter Support to create an Identity Provider in m3ter for you.

When SSO has been implemented for your chosen SAML-based IdP, you might have to check how your users will be provisioned.

This topic explains how SSO is implemented in m3ter for your chosen IdP and how to authenticate and log into the m3ter Console when your corporate federated identity has been set up:

Coming Soon! Support for Google SSO is coming soon.

Setting Up an External Identity Provider

Here are the settings you'll need when setting up your external IdP.

SSO URL/Endpoint

This is the Single Sign-On URL/Endpoint where the m3ter application receives the SAML assertion:

https://m3ter.auth.us-east-1.amazoncognito.com/saml2/idpresponse

Audience URI

This is the Entity ID of the m3ter application:

urn:amazon:cognito:sp:us-east-1_9OJBvIFUw

Attributes Mappings

The following table gives the mappings between the identity attributes used in the external provider and the ones used by m3ter that must be also configured:

External IdP Attributem3ter Attribute
<>name*
<>email*
<>firstName
<>lastName
<>groups

Notes:

  • * means mapping is mandatory.

  • For groups mapping values, use comma-separated format. For example: m3ter-staging-admin, m3ter-prod-read-only

Setting Up an Identity Provider in m3ter

An Identity Provider can be created in m3ter for a single m3ter Organization or for all of the m3ter Organizations you use:

  • Note: This second step will be done for you by m3ter Support.

  • Required IdP Details: In order for us to create an Identity Provider for you, please provide the following details:

    • name - Unique name of IdP.

    • metadataUrl - URL for downloading the SAML metadata.

    • identifiers - Globally unique values of IdP domains. Used to redirect users to corresponding external IdP login page.

    • groupMappings - Used to map groups in the external IdP to regular User Groups in m3ter. Ensures that SSO users belonging to groups in the IdP will be added to corresponding User Groups in m3ter, and inherit the Permission Policies assigned to those m3ter User Groups.

User Provisioning for SSO

Depending on how and when your IdP set up for m3ter SSO was implemented and other factors, such as the possibility of pre-existing m3ter users, you might have to check to ensure your users are properly provisioned for SSO inclusion and have the correct permissions assigned to them. Here are some explanatory notes and recommendations to help with this:

  • Pre-existing Users. If the user with the given email already exists as a m3ter user, then the federated identity will be attached to the existing user’s profile and the identity will have access to the same Organizations with the same permissions as before and will be allowed to login with both the m3ter credentials or using the external identity provider.

  • New Users - Provisioning. If the user with the given email does not already exists as a m3ter user, then the provisioning process will create a m3ter User and an OrgUser having no actual permissions for the configured Organization(s).

  • New Users - Permissions. As per the previous bullet point, the OrgUser now exists in the proper Organizations but can’t do anything because they lack permissions. There are two ways in which you can attach the required Permission Policies to them:

    • Directly. Attach the relevant Permission Policies to the OrgUser. See Managing Users and Assigning Permission Policies for more details.

    • Via groupMappings. Ask m3ter Support to set up groupMappings at the IdP level so the OrgUser is automatically added to the corresponding m3ter User Groups at each login, hence inheriting the Permission Policies attached to the User Groups they then belong to in the Organization.

Using SSO to Sign Into the m3ter Console

When your corporate federated identity has been set up for SSO, you can use it to authenticate and sign into the m3ter Console.

Coming Soon: IdP-Initiated Logins! IdP-initiated logins are not currently supported but will be added in the future. If you're interested in this feature, please get in touch with m3ter Support or your m3ter contact.

To authenticate with the platform:

1. Open your browser and enter the URL for the m3ter environment. The m3ter Sign in to your account appears. The default presentation is for User/Password authentication:

2. Instead, select Single Sign-On (SSO). The sign in adjusts for SSO and Sign in with Single Sign-On (SSO) using your Corporate ID shows:

3. Enter your federated SSO corporate Email Address to authenticate and gain access to the Console:

  • If your account has been set up for access to a single Organization, you are taken directly to the m3ter Console Dashboard for the Organization.

  • If your account had been set up for access to more than one Organization, a Select Organization page opens. Select the Organization you want to access. The meter Console Dashboard for the selected Organization opens.

Important! When you log in to the m3ter platform for the first time, please review our Terms of Service straightaway to ensure you accept them. To review these terms, click the Documentation link at the bottom of the Console's main navigation, and then select Legal.

Next: Service Authentication



Additional Support

Login to the Support portal for additional help and to send questions to our Support team.