Single Sign On

Moxo supports Single Sign On (SSO) authentication, allowing users to log in using your organization’s Identity Provider (IDP), such as Microsoft, Google, or Okta. With SSO enabled, users no longer need to enter their Moxo credentials—authentication is handled through the IDP, providing a secure and streamlined login experience.

How SSO works in Moxo

When SSO is enabled, users are redirected to your organization’s IDP to authenticate. Upon successful verification, they are automatically logged into Moxo without needing to enter their Moxo email or password.

SSO user group configurations

Moxo offers flexibility in how single sign on is applied across your organization's portal. Depending on your structure, you can enable SSO for internal users, client users, or both. Below is a breakdown of each configuration:

• SSO for internal users only: When this configuration is enabled, only internal users authenticate through your organization’s IDP (e.g., Okta, Microsoft, Google). Clients will continue to log in using their Moxo credentials. This setup is ideal if your organization wants to streamline employee access without changing the client login experience.

• SSO for client users only: In this configuration, only client users log in via SSO, using your organization’s selected IDP. Internal users continue using their Moxo credentials. This is useful when your external-facing teams serve enterprise clients who require SSO for security compliance.

• SSO for both internal and client users: With this setup, both employees and clients use SSO to access the Moxo platform. Each user group is redirected to their designated IDP for authentication. This configuration is recommended when your organization wants a consistent login experience for all user types and has identity systems configured for both.

Log in using SSO 

If SSO is enabled for both internal and client users:

1. Open your Moxo-powered private labeled app, and click Login.
2. You will be redirected to your IDP (e.g., Microsoft, Google, Okta).
3. After valid authentication, you’ll be redirected to the Moxo portal.
   
   

If SSO is enabled for internal users only:

1. Open your Moxo-powered private labeled app, and click Login.
2. On the login screen, select Employee Login.
   Note: Clients continue to log in with Moxo credentials.
3. You will be redirected to the IDP for authentication.
4. Once verified, you’ll enter the Moxo portal.
   
   

If different SSO logins are configured for clients and internal users:

1. Open your Moxo-powered private labeled app. Then click either Employee Login or Client Login.
2. You’ll be redirected to the appropriate IDP based on your user type.
3. After successful authentication, the user will enter your Moxo portal.
   
   

Configuring SAML-based SSO

You can configure SSO either through the Moxo Admin Portal or by contacting the Moxo team for assistance. 

To configure Single Sign-On, you need to submit a request at the org level.

IDP setup:

To get started, you'll need to configure Moxo as a service provider in your IDP system.

1. Create an app for Moxo in your IDP system.
2. Set the SP Entity ID as: https://www.moxo.com
3. Configure user attributes to be sent to Moxo:

   • firstname: User’s first name

   • lastname: User’s last name

4. Share the following information with Moxo:

   • IDP Entity ID
   • Login URL
   • SAML Certificate

In the Moxo Admin Portal:

1. Navigate to the Admin Portal.
2. Go to the Single Sign-On section.
   
   
   
   
3. Click New.
4. Fill in the required details:
   
   

• Name: Enter a name for your SSO configuration.
• User Role: Select one of the following:
  • Internal User
  • Client
  • Internal User and Client
• IDP Entity ID: Enter the ID provided by your IDP.
• SP Entity ID: Use Moxo's SP Entity ID (https://www.moxo.com).
• Login URL: Enter the IDP login URL.
• Logout URL: (Optional) Enter the IDP logout URL, if available.
• AuthnContextClassRef: Ensure this matches the value configured in your IDP.
• NameID Format: Must match what’s defined in your IDP settings.
• SSO Flow: Select one:
  • IdP-Initiated
  • SP-Initiated (Default)
• Protocol Binding: 
  • HTTP POST
  • HTTP Redirect (Default)
• User Type: 
  • Email
  • Unique ID
• Certificate: Paste the SAML certificate from a .pem or .crt file

“AuthnContextClassRef” and “NameID Format” should be the same in both the IDP and Moxo.

4. Enable AuthnRequest Signed to ensure secure authentication requests. Enable Auto-Provision User to automatically create accounts for authenticated users.

5. Click Create to save the SSO configuration. After saving, Moxo generates an Access Consumer Service (ACS) Endpoint URL.

The ACS URL will be visible once you enter the IdP Entity ID.

6. Provide the ACS URL back to your IDP to complete the setup. 

After completing the setup, users will be able to authenticate with their chosen IDP, providing a smooth, seamless login experience. 

Best practices

To ensure your SSO configuration runs smoothly and provides the best possible user experience, we recommend the following best practices:

• Ensure matching configuration values: Double-check that the NameID Format and AuthnContextClassRef values are consistent between your IDP and the Moxo Admin Portal.
• Test with a sample user: Before enabling SSO for all users, test the experience with a single user to confirm that authentication works as expected.
• Verify certificate accuracy: Make sure the certificate you paste into the configuration (from .pem or .crt files) is complete and uncorrupted.
• Plan for password recovery: In an SSO-enabled environment, password resets must be handled through the IDP—not through Moxo.
• Enable auto-provisioning (if applicable): If you want new users to be automatically created upon authentication, enable the Auto-Provision User setting to streamline onboarding.

By following these best practices, you can minimize configuration errors, ensure a secure login experience, and reduce the need for ongoing troubleshooting.