Make White Label supports two-factor authentication (2FA), such as Google's Authenticator app. The following procedure enables 2FA for your instance. End-users must complete the process by going to their profiles and using Google Authenticator or a similar app.

1. Go to Administration > System Settings.

2. Select Enabled from the Two Factor Authentication menu.

3. For Two Factor Authentication app name (visible in Google Authenticator) enter the name you want to appear in the authentication app.

Your instance now allows end-users to set up 2FA. Verify by clicking Leave administration and going to Profile > 2FA. When a user sets up 2FA, a window opens with the QR code for Google Authenticator or similar apps. Scan the QR code and enter the numeric code in the field.

You can configure single sign-on (SSO) from the System settings page and from your Identity Provider (IdP). Make White Label's SSO options let you decide whether to create a new organization for new end-users or not. This provisioning lets your end-users sign in and automatically receive their own organization for billing purposes.

Your instance supports the following authentication standards:

• OpenID Connect (OIDC) (OAuth 2.0-based)

• SAML 2.0

Click any of the following for configuration information:

1. Log in to Okta and go to Admin > Applications > Applications.

2. Click Create app integration and select SAML 2.0.

3. Name your app and upload your icon.

4. Click Next.

5. Configure the following SAML settings including:

1. Click Show advanced settings and enter the following:

1. Enter the following attributes and click Next.

1. In the Are you a customer or partner? field, select I'm an Okta customer adding an internal app.

2. In the App type field, select This is an internal app that we have created

3. Click Finish.

To locate your IdP login URL and certificate:

1. Go to Admin > Applications > Applications and select your SAML SSO app. to access the necessary information.

2. Go to the Sign on tab and click View SAML setup instructions.

1. Log in to your Make White Label instance.

2. Go to Administration > System settings.

3. Select an SSO type.

   1. None - default option indicating that SSO is turned off.

   2. OAuth 2.0

      1. Select this option for OpenID Connect (OIDC).
4. Fill in the protocol-specific information as described in the tables following this procedure.

5. Enter an IML resolve. The IML resolve maps necessary data such as ID, name, and email, between Make and your identity provider.

6. Under SSO Options, define whether and how your instance assigns new users to organizations. You can choose from the following options:

   • Don't create a new organization.

     • This option only creates a new user. That new user has no access to the scenario editor or other features. You must manually add the new user to an organization.

   • Create a new organization and team.
7. Click Save.

Make enables SSO with the settings you provided and logs you out immediately. You can now log in with your SSO provider credentials. At the same time, you receive an email with a one-time link, which you can click to disable SSO. Use the one-time link within 24 hours before it expires. After 24 hours you must contact your customer success specialist.

Open ID Connect (OAuth 2.0 settings)

The following fields appear once you select OAuth 2.0 from the SSO menu:

SAML 2.0 settings

Create your service provider primary key and certificate

Your Make White Label instance signs and verifies SAML 2.0 requests with the primary key and certificate that you provide.

Use openssl or similar as in the following example:

openssl req -newkey rsa:2048 -new -nodes -x509 -keyout key.pem -out cert.pem

This example creates two separate files that you can extract into the following fields:

• Service provider primary key

• Service provider certificate

Create URLs for your instance as a service provider

To configure SSO on your identity provider, you need to provide URLs. The following are examples using the base domain https://example.celonis.integromat.

Adjust them according to the domain of your instance.

• SAML ACS URL: https://example.celonis.integromat.com/sso/saml

• SAML Entity Information URL (also known as Audience Restriction URL): https://example.celonis.integromat.com/sso/saml

Create and enter Login IML resolve

To support a broad choice of identity providers (IdPs), Make lets you map values related to identifying users. The IML resolve maps the values from your IdP to Make's internal values by using IML, a JavaScript-based function notation. Your IML resolve must be specific to your IdP. You must map the following properties:

Example

In the following example, the resolve maps the following values:

The following manual configuration creates a SAML SSO configuration for your Enterprise organization.

Prerequisites

• Owner or admin role in an Enterprise organization

Once you configure SSO, your end-users don't use the default sign-in form. Instead, they use the dedicated SSO sign-in options.

1. Go to your login URL.

2. Click Sign in with SSO.

3. Log in using your identity provider and consent to Make's access to your user data.

The user is now logged in. If the user was not assigned to your organization before, the system creates a new users account for them and assigns them to the selected default team.

Before configuring SSO, you need to assign a namespace and create a service provider certificate and private key. These important steps provide information you need to enter later.

Create your namespace:

1. Go to Administration > System settings.

2. Scroll down to SSO Type.

3. Under SSO type, select SAML 2.0.

Create your service provider primary key and certificate:

1. Use openssl or similar. Mac users can use Terminal

2. Enter the following command:

openssl req -newkey rsa:2048 -new -nodes -x509 -keyout key.pem -out cert.pem

This example creates two separate files:

• key.pem

• cert.pem

Locate these files and have them ready to upload later.

1. Go to the login page for your instance. Log out if needed.

2. Click Sign in with SSO.

3. Log in using your Okta credentials and consent to Make's access to your user data.

You can bypass SSO by going to https://xyz.onmake.com/admin/login and entering your credentials. Using the /admin/login page lets you return to the System settings page and adjust your configuration.

Microsoft Azure supports both OAuth 2.0 and SAML 2. Perform the following steps to connect Make with Azure Active Directory.

OAuth 2.0

1. Log in to your Azure Portal and open Azure Active Directory.

2. Open App registrations and click New registration.

3. Give the registration a name.

4. Fill in the Redirect URL.

   • Find the Redirect URL In Make > Organization > Settings after you select an SSO type.

5. Click Register.

6. Note down the Application (client) ID.

   • Paste this ID into your Make settings.

7. Go to Certificates and secrets and click New client secret.

   • Paste the secret value into your Make settings.

8. Go to Overview and click Endpoints.

   • Paste the OAuth 2.0 authorization endpoint (v2) into the Authorize URL field in Make settings.

   • Paste the OAuth 2.0 token endpoint (v2) into the Token URL field in Make settings.

9. Paste the following into the User information URL in Make settings.

10. In Make, set up Login scopes and Scopes separator:

    • Login scopes: openid, profile, email

    • Scopes separator: space

11. In Make, paste the following into User information IML resolve. This tells Make how to map user information received from Azure to information in Make database.

    • {"id":"{{id}}","email":"{{mail}}"}

Your Make private instance has the following groups of instance-level permission roles:

• System roles designed for the needs of administering the instance.

• Developer roles designed for users who edit and create custom applications.

• Support roles designed for those who provide customer support.

The following charts provide the details of which specific permissions are enabled for each role.

1. Go to Organization > SSO.

2. Enter the following information from Okta into the IdP login URL and Identity provider certificate fields.

1. In the Allow unencrypted assertions, select Yes.

The System settings page lets you enable login features to enhance the security and integration of your Make White Label instance. The single sign-on (SSO) configuration supports a wide range of identity providers. You can also enable end-users to set up two-factor authentication for their accounts.

Your Make White Label instance supports the following login options:

• Default email and password login page

• Single sign-on (SSO)

• Two-factor authentication