[Deprecated] How does the SSO Process work

Deprecated section

This section of our wiki is deprecated. You landed here because we developed new better tools to integrate with Maestrano and our Partners. We now have a brand new Developer Platform which simplifies a lot your integration on all our Partner Marketplaces (both to manage marketing listing and to manage your technical integration).

If your application is already integrated with Maestrano, do not panic! Your integration still works perfectly. To simplify your journey with us and our partner's marketplaces, we will onboard you soon on the developer platform. If you want to know more, just send us an email (developers@maestrano.com), nothing to be afraid of (smile)






1 A SSO, what for?

SSO allows for users to launch your application within Maestrano without having to type in credentials. This enhances the user experience of customers by skipping a step to access your app.

2 What is supposed to happen when a Maestrano user launch my application for the first time?

When accessing your application for the first time, a new account must be created based on the user details including first and last name, email, company name etc... You may have different subscription plans to be offered to the user. The recommended approach is to setup the user account under a free trial if you support this kind of subscription. Otherwise it is recommended to provide the user with a basic subscription plan so he can try out your application functionalities. After the free trial has expired, the user will be charged via the Maestrano billing API.

As part of the SSO process, the user details are passed on (first and last names, email). You can decide to use these to match the user against an existing user inside your application rather than creating a new account. This will give the end user a better user experience.

3 What is the Workflow?

The Single Sign On process is initiated from the Maestrano website when a user clicks on your application tile. This redirects the user to the configured SSO initialization endpoint which then redirects back to Maestrano IDM endpoint. The user is then redirected to your SSO consume endpoint with all the User details required to either log the user in or create a new account.

4 What do I have to pay attention to?

As the user email is unique on Maestrano, it is safe to match users by email or user_id. The user_id must be stored against the User record so even if a user changes its email, you can still uniquely identify its account.

The group_id specified in the SSO request is an identifier that will be used to assign the Users against the Company/Organization they belong to as well as the identifier used for the Connec! data-sharing. You need to store this value against the user company inside your application.

On maestrano.com, a User can be part of multiple Companies (one user_id for more for more than one group_id) and a Company can have multiple Users (several user_id for the same group_id). We ask every application on maestrano.com to respect this norm, and to help you implement that, we propose you virtual ids on our SDKs that are unique for a user and a company. Check for the virtual mode.

Unicity with multitenancy

If a user opens an account on two different tenants, two different accounts must be created to avoid mixing data between different organisations in different marketplaces.

Do not send emails to email addresses

The virtual email addresses should only be used to create a unique user id, not to send emails to users; for that, you can always reach the user's real email.

5 SSO Consume process