This article lists general information for using and setting up Single Sign-On (SSO) via Security Assertion Markup Language (SAML) 2.0.

• General
• Limitations
• Setting up Single Sign-On via SAML 2.0 in Meisterplan
• Identity Provider Settings
• Service Provider Data
• Completing the Setup
• Login via SSO
• Updating the Configuration
• Login without SAML
• Deactivating SAML

General

• Single Sign-On via SAML 2.0 allows users to log in to Meisterplan via user accounts configured with the connected identity provider.
• Please note that users also need Meisterplan user accounts to be able to log in. The Meisterplan username is mapped to the NameID SAML field, so be sure to map this field to the Identity Provider field that corresponds to the Meisterplan username.
• Meisterplan supports both Service Provider (SP) initiated SSO and Identity Provider (IdP) initiated SSO.
• This is a short guide to configure SSO via SAML 2.0 in Meisterplan.
• Step-by-step guides for supported Identity providers are available here:
• Entra ID (formerly: Azure AD)
• Active Directory Federation Services (ADFS)
• OneLogin
• PingOne
• Okta
• Knowledge about SAML 2.0, SSO and the specifics of configuring your identity provider are presupposed.
• Users can also be added to SSO in addition to being auto-provisioned by your identity provider. This does not have to happen in a particular order. Learn more about this in the article on auto-provisioning users.

Limitations

• Single Sign-On in Meisterplan supports SAML 2.0 only.

Setting up Single Sign-On via SAML 2.0 in Meisterplan

For these functions, you need to have the Manager Users and User Groups right.

Proceed as follows to set up Single Sign-On via SAML 2.0 in Meisterplan:

Step 1: In the left sidebar, click Manage and select Users.

Step 2: In the toolbar, click Configure > SAML:

Step 3: Click Enable SAML. This will display the Identity Provider Settings and Service Provider Data sections:

Identity Provider Settings

Enter the Identity Provider Settings from your identity provider:

• Identity Provider Entity ID (this may also be referred to as the "issuer")
• SSO URL (Single Sign-On URL)
• SLO URL (Single Log-Out URL)
• X.509 Certificate (public key - different identity providers may use different names)
• Under SAML Message Binding Method, specify whether the SAML login or logout requests are passed to your identity provider via GET ("HTTP Redirect") or POST.
• Check Sign SAML Authentication Request if Meisterplan should sign requests sent to your identity provider

Service Provider Data

Most identity providers require service providers such as Meisterplan to include additional data such as Login Response URL, Entity ID and Relay State.

You can use Download SP Configuration > Download Metadata (.xml) in the toolbaras a starting point to configure the most common fields in your identity provider. Fill in the remaining fields by copying the respective values from the Service Provider Data section in Meisterplan.

Completing the Setup

After entering Identity Provider Settings in Meisterplan and, if required, Service Provider Data on your identity provider's side, click the Save Configuration button to complete the setup.

Login via SSO

If SAML has been set up for your Meisterplan system and you log in via SSO, you will be automatically redirected to your company's login page. Log in to Meisterplan as explained in the Login article.

Updating the Configuration

Follow these steps if you need to update the Single Sign-On (SSO) configuration, e.g. when switching to another identity provider.

Step 1: In Meisterplan, enter the new Identity Provider Settings (see the Identity Provider Settings section) and confirm by clicking Save Configuration.

Step 2: In the admin panel of your identity provider, enter Meisterplan's Service Provider Data (see the Service Provider Data section).

Login without SAML

If you would like to login without SAML (for example, because the identity provider is temporarily not available or because you are experiencing difficulties with your SAML configuration) and have the Manage Users and User Groups right, you can log in without SSO using a recovery page:

• If your system is hosted in the USA:
  login.us.meisterplan.com/login?recovery=true&systemName=[your system name]
• If your system is hosted in the EU:
  login.eu.meisterplan.com/login?recovery=true&systemName=[your system name]

Deactivating SAML

To deactivate the SAML login for all users, you need to have the Manager Users and User Groups right. Log in with your Meisterplan-specific login credentials and deactivate the SAML configuration for your Meisterplan system:

Then click Enable SAML to disable the active configuration.