Custom SSO integration with Matillion Hub – SAML

Editions

This feature is for customers on our Enterprise edition only. Visit Matillion pricing to learn more about each edition.

Single Sign-On (SSO) is an authentication service that enables users to access multiple applications with a single set of login credentials. This feature enhances security and efficiency by minimizing the need for multiple passwords and simplifying access management.

This guide details the process required to set up SSO integration with the Matillion Hub using SAML.

Here’s a summary of the detailed steps covered in this guide:

Create a new SAML application in your identity provider using the information provided below, and share the details of that application with Matillion.
Create a TXT DNS entry to all domains that you want to link through SSO.
Matillion will set up a matching application and email you the Relay ID along with a link to test the configuration of both applications.
Add the Relay ID to your application, and test it using the test link provided.
Matillion will address any necessary changes for the configuration and, once everything is complete, we’ll fully transition. Normal logins to the Matillion Hub will remain unaffected during the setup to ensure continued access until the switch is finalized.

Identity provider setup

Follow these steps in your selected identity provider portal:

Type: SAML.
Reply URL (Assertion Consumer Service URL): Enter "https://id.matillion.com/login/callback".
Ensure that the Unique User Identifier (Name ID) claim is mapped to an immutable and unique value, such as user.employeeid, instead of the user's email address, which is often the default setting. If it's set to the email, any users who later change their email address will lose access to their account, as they will be recognized as a completely new user to Matillion.
Create a custom claim called email_verified that returns a static value of true. This will prevent our identity provider from requiring users to verify their email address with Matillion.
Set the Identifier to urn:auth0:matillion:[domain]-saml, replacing "[domain]" with your primary email domain and converting any special characters to dashes. For example, "example-company.com" should be formatted as urn:auth0:matillion:example-company-com-saml.
Create a TXT DNS entry for each domain you want to bind, containing the text from the end of the Identifier mentioned above, such as matillion:example-company-com-saml.

Raise a support ticket

After completing the identity provider setup, submit a support ticket through the Matillion Support Portal including the following information:

Enter the name of your identity provider.
Enter the login URL provided by the application set up with your identity provider.
Provide a list of domains you wish to bind.
Provide the certificate from the application configured in your identity provider, in Base64 format.
Enter confirmation of the identifier used in the application.
Enter confirmation of the name of the DNS entries created.

Finalize the identity provider setup

Once your support ticket has been received, Matillion will create a matching application, and provide you with its Relay State. Follow the steps to complete the identity provider setup:

Set the Relay State in your application to the value previously provided by Matillion.
Sign out of any active sessions in Matillion.
Visit https://sso-check.matillion.com, enter your email address, and click Log In.
After logging in, a list of checkboxes will appear. If any are not green, review the message associated with each one, and adjust your application configuration as needed to resolve the issues.
Once all checkboxes are green, the integration can be activated. Before proceeding, ensure all users have committed their work to Git, as any uncommitted work may be lost during the migration.
When all work has been committed and you're ready for us to enable the integration fully, please notify us via your support ticket, and we'll complete the transition.