SAML SSO user authentication

Standard users must log in using a combination of password and authenticator device, to provide multi-factor authentication (MFA). See New user setup for more details about how this is set up for users.

As an alternative, Maxemail can offer single-sign-on (SSO) using a corporate identity provider (IdP). This is done via the SAML protocol through AWS Cognito, requiring a two-part setup with configuration by both the client organisation and Xtremepush.

SAML configuration

The IT / Operations team will require the following details to set up a new SAML app:

Once this is configured, please provide our support team with the related metadata document (XML) or the metadata endpoint URL, along with the user email address domain which will be linked to this IdP.

Testing

Once the configuration has been added Maxemail, the SSO can be tested by entering the email address of a valid Maxemail user for the configured domain in the corporate email field on the regular Maxemail login page at https://mxm.xtremepush.com . This will redirect to the IdP for authentication, and once the user is logged in to the IdP, redirect back to Maxemail as an authenticated user.

After testing is complete, the support team will remove any existing password-based logins, so that the affected users may only log in using the corporate SSO.

Additional details

• IdP-initiated login is not supported. Users must begin at https://mxm.xtremepush.com .
• Auto-provisioning is not supported. Users must have already been added to Maxemail by an administrator, with relevant access permissions defined. See User administration.
• SP-initiated SAML requests are signed.
• Sign-out flow is not supported. Users can use the Logout option in the Maxemail user menu, and are automatically revoked after 2 minutes of no activity.
• Group membership details are not supported.