SSO - Single Sign-On and Martus

SSO is available to all Martus customers. Martus supports SSO access via the SAML2 protocol. Your IT staff can configure your company portal to allow this with IDPs such as:

• Azure Entra
• Okta
• Google Workspace

With SSO, your organization can enforce its own security policies such as multi-factor authentication, etc. However, even with SSO in place, you still need to set up users in Martus to set their functional permissions and dimension restrictions in the software.

If desired, you can provide your IT staff with a simple Martus login, granting them permission to set up SSO. The permission 'IT' gives access to Setup > SSO in Martus to allow setup. Additionally, any Martus Admin can also update SSO after receiving the needed information from IT.  

Requirements include:

• SSO XML metadata file
• Login URL for your IDP (SSO provider) 

Since Martus supports any provider who uses the SAML2 protocol -- and the specific steps to create a certificate and identify the appropriate login URL are specific to your IDP -- Martus cannot tell you specifically how to do.  An example below shows how you'd find the Login URL if you use Google Workspace SSO:

1. In Google, open the list of apps.

2. Find the icon for the Martus app.

3. Right-click.

4. Click Copy Link Address.

5. Paste the copied link into the Login URL field in Martus on the SSO page.

Enabling SSO

1. Navigate to Setup > SSO.
2. Browse for and select the XML file.
3. Paste the login URL into the Login URL field on the SSO page.
4. Note: The client entity ID and certificate fields will be filled in once the XML metadata file is uploaded into Martus. 
   
   

Removing Passwords to force SSO

• One at a time: 
  1. Go to Setup > Users
  2. Click the Edit button next to the user
  3. Click the Clear Password button
• All users:
  1. Go to Setup > SSO
  2. Click the Clear All Passwords

Partner Users

If a Martus instance has users from a Martus partner, those users are managed by the Partner via the Partner Console. Partner users are not required to use an organization's SSO. And only Partner Console Managers at the partner organization can clear passwords for Partner users or otherwise manage their access. Admins in associated Martus instances do not have control over Partner users' MFA or password requirements. Martus Admins cannot add, edit or delete Partner users. 

While Partner users may use their own SSO, a Partner user does not have to use SSO.

Notes

• If a user is logging in and they have multiple clients that have SSO enabled, they will be presented with a list of clients from which to choose.
• Once the SSO setup is confirmed to be working, be sure to remove the passwords from all users within Martus. 
• Any Martus user with a password would be able to bypass the SSO security and log into Martus directly!  
• Martus Support generally cannot provide instructions for how to configure the SSO provider selected by your IT staff. However, you can use these instructions to configure SSO within Azure Entra.
• Send the Martus logo file below to your IT staff. It has been tailored for use on the "Martus" button they create in your portal for users to access Martus.
• As an Administrator, you can allow specific users to bypass SSO but sending those users the "Set up password" email. This is helpful if you need to add users to Martus who do not have access to the domain utilized for SSO.