Add a federated SSO user to Maxsight
The instructions here describe how to add a new federated user to Maxsight. For instructions on how to add new users that will sign in using their Moody's SSO account, see Add a Maxsight user.
Federated users sign in to Maxsight through your company's chosen SSO identity provider, such as Azure Active Directory or Google SSO. To add users who sign in using their Moody's SSO account, see Add a Maxsight user.
When the user first signs in, they can access the areas of your account according to their roles. If you have not set up a link between your identity provider groups and a Maxsight team, the user can't access any area of your account until you assign roles manually. See Assign roles to federated SSO users for more information.
To add a federated SSO user:
Create an app on your identity provider for a SAML 2.0 connection. Contact your identity provider for more information about how to do this.
If you would like to assign permissions to your users automatically based on their identity provider groups, create a single custom attribute for your users that contains the list of each user's group IDs. The IDs need to be sent in a way that we can map them to a comma-separated list of strings.
Provide us with the accepted domains from which your users will sign in.
Provide us with the following information about the app you created previously:
Identity provider issuer URL
Identity provider single sign-on URL
Identity provider signature certificate (using SHA-256)
Destination URL (optional)
Provide the names of the user attributes you're using on your identity provider so that we can map them:
email address, for example, subjectNameId
first name
last name
custom teams (optional)
We complete the configuration on our side, and send you some metadata so that you can complete the configuration on your side.
Allow lists with SSO
When you enable allow-listing, only requests coming from an IP address that's on your authorized list will be able to sign into your account's portal and make calls to your API.
If you'd like to use allow listing, you should enable it through Maxsight's IP allow listing area and avoid using Okta's allow-listing feature. Otherwise, both allow lists will apply for SSO sign-ins, and unexpected behavior may occur.
Assign roles to federated SSO users
Roles determine what users can see and do in Maxsight.
For example, you could have a Compliance officer role that provides users with access to onboard and monitor all assessments.
Roles can be assigned on a team basis or a per-user basis.
By default, new SSO users on your account won't have any roles, which means they won't have access to any area of your account.
Allow lists with SSO
When you enable allow-listing, only requests coming from an IP address that's on your authorized list will be able to sign into your account's portal and make calls to your API.
If you'd like to use allow listing, you should enable it through Maxsight's IP allow listing area and avoid using Okta's allow-listing feature. Otherwise, both allow lists will apply for SSO sign-ins, and unexpected behavior may occur.
Each time the user signs in after that, their teams will be updated to reflect any groups they've been added to or removed from on your identity provider.
To create a linked team, follow the steps to add a team and ensure you include these options:
In the External team ID field, add your identity provider group's ID or name. Note that these are case-sensitive.
In the Team roles field, add the roles you want to assign to users from the identity provider group.
Assign roles to federated SSO users
Roles determine what users can see and do in Maxsight.
Go to > .
Select the user.
Federated users have SSO displayed next to their name.
Add the roles to the User roles field.
For example, you could have a Compliance officer role that provides users with access to onboard and monitor all assessments.