Matterport and SAML/SSO 

SAML (or Security Assertion Markup Language) is an open standard protocol that enables you to use a single sign-on (SSO) credential to access Matterport across various IDPs (Identity Providers). SAML allows secure tokens to be passed between IDPs and SaaS applications like Matterport. This ultimately expedites your user workflow by eliminating the need for passwords, and centralizing the authentication process. SSO also provides you with higher visibility, and allows for expedited application adoptions and rollouts. 

Before you begin 

To enable SSO on your Matterport subscription, you will need to have an Enterprise Matterport subscription plan

IDP Support  

SSO gives members access to Matterport through identity providers that support the SAML 2.0 standard - we currently have validated integrations with the following IDPs: 

  1. Microsoft Azure
  2. Okta 
  3. Ping ID

We are working on validating our implementation for additional IDPs - if you are using an IDP that supports SAML 2.0 and is not included on the list, please reach out to us at support@matterport.com


Instructions 

Remember, SSO must be enabled by the Matterport support team before you follow the steps in this section.  


Access Matterport account settings 

  1. Log in to your Matterport account
  2. Click your account name (top-right) 
  3. Click Settings samltest.png
  4. Click Manage in the account dropdown menu to the left 
  5. Under the Authentication header, click the Manage button next to Single Sign-On (SAML)Screen_Shot_2020-03-16_at_1.30.37_PM.png

The Configure Single Sign-On Page 

This page is where you will begin the single sign-on setup - follow the instructions below. 

Before beginning the process, read the Overview section at the top of the page.

This section will briefly outline how this will affect users associated with the account you are configuring - the main takeaway is that you can choose whether or not members of your organization are forced to use SSO, or be given the option to use their legacy credentials to access Matterport. We will touch more on this configuration later in the guide. 

Copy and import required sign-on info from Matterport to your IDPScreen_Shot_2020-03-16_at_1.42.40_PM.png

  1. ACS URL 
    • Highlight the provided URL and click the “Copy” button - tab over to to your IDP’s unique page and paste the URL into the ACS URL field. 
  2. SP Entity ID 
    • Highlight the provided URL and click the “Copy” button - tab over to your IDP and paste the URL into the SP Entity ID field. 
  3. Matterport Logo 
    • Highlight the provided URL and click the “Copy” button - tab over to your IDP and paste the URL into the Logo field. 
  4. Account Key 
    • This identifies which account is accessing SSO, and lists it to the right.

Copy and import required single sign-on info from your IDP to Matterport 

  1. IdP Metadata File
    • The Metadata tab provides the easiest and most recommended way of importing your IdP’s data into Matterport.  Copy and paste the XML directly into the Metadata field.

If you do not have a Metadata file or wish to change things individually, use the Advanced Tab. Screen_Shot_2020-04-10_at_11.46.20_AM.png

  1. SSO URL 
    • Tab over to your IDP and copy the Identity Provider SSO URL, then paste it in the field. 
  2. IdP Entity ID 
    • Tab over to your IDP and copy the Identity Provider ID, then paste it in the field. 
  3. Public Certificate 
    • Tab over to your IDP and copy the entire X.509 certificate, then paste it in the field. 
  4. Attribute Name Format 
    • This is the format of the user’s NameID that is being sent to Matterport during authentication.

Screen_Shot_2020-03-16_at_1.49.53_PM.png
Click Save Configuration to complete your changes.

Allow only SSO, Automatic User Provisioning and Automatic Access Authorization 

Allow only SSO 

Screen_Shot_2020-03-16_at_1.48.39_PM.png

Switching the Allow only SSO toggle will require that all users associated with your account must authenticate using SSO. We recommend turning this on later, after the lion’s share of users in your organization have adopted the transition. 

Automatic User Provisioning

Contact the Matterport Support team to enable Automatic User Provisioning for your account. 

When enabled, Automatic User Provisioning is available as a toggle inside the Configure Single Sign-On page. You can toggle it on or off to control whether new users authenticated by your IdP will join your Matterport account automatically. 

When switched on, first-time Matterport users users that have been authenticated will be provisioned collaborator access automatically (inside the Matterport account). This means account users don't have to receive a manual invite to join.  image__6_.png
Enabling Automatic Provisioning 

Follow the steps below to enable Automatic Provisioning. 

  1. Contact Matterport Support to request that the feature is enabled
    • Once enabled, you will see the option within the configure SSO page in settings that allows you to control auto provisioning of users to your account.
    • Enable this feature if you do not need another gating check for collaborators joining your Matterport.
  2. Add Matterport access to your user(s) on your IDP 
    • Upon logging in for the first time, selected users will be automatically added to your account. 
    • These users will not be given access to any existing models by default unless automatic authorization (see next section) is enabled.
    • Additional user access, beyond automatic authorization, can be added manually. 

It's critical to note that if you enable automatic user provisioning, you will need to have your users sign in through IDP the first time they log into Matterport. This is also referred to as IdP initiated login. Once a user is successfully provisioned through an IdP initiated login, all subsequent Single Sign-on logins will be allowed from both the IdP and the SSO login page on https://my.matterport.com.

 

Automatic Access Authorization 

Once Automatic User Provisioning is enabled, the account owner will be given the additional option to enable Automatic Access Authorization. When this option is switched on, you can select a default folder that grants view-only access to all new users that have been automatically provisioned to the account. Enable this feature if you want new users to start with view-only access to models, as opposed to starting entirely from scratch with nothing. From there, you can can grant additional access manually to users of your choice, so long as they've been provisioned. 

image__7_.png

SAML/SSO FAQs for admins 

What protocol/standard does Matterport support for SSO Federated Identity?

Matterport SSO implementation is based on SAML 2.0 federation.

My IDP is not on Matterport’s supported list - what do I do? 

Contact Matterport Support for the next steps. 

Does SSO support Microsoft Active Directory access? 

Microsoft Active Directory is not in our verified list of IDPs. Contact support for guidance on the next steps. 

What does SSO allow access to? 

SSO access is used to manage Matterport’s Cloud portal only. Support and community portals, on the other hand, will continue to be managed using legacy login credentials.

Can I bypass the manual invitation process for adding users to my Matterport account?

Yes, with auto provisioning feature. Reach out to support to help configure this feature.

What happens if I downgrade my Matterport subscription plan? 

SSO will continue to work for users that were setup for SSO prior to the downgrade.

I’m receiving error messages while configuring SSO setup - what do I do? 

Contact Matterport Support and we will walk you through the troubleshooting process. 

What happens if I downgrade my Matterport subscription plan? 

SSO will continue to work for users that were setup for SSO prior to the downgrade.

What does SSO access allow? 

SSO access is used to manage Matterport’s Cloud portal only. Support and community portals, on the other hand, will continue to be managed using legacy login credentials.

How do I Automatically Provision users to my Matterport account? 

  1. Reference the steps in the Automatic User Provisioning section above to enable Auto Provisioning. 
  2. Grant user access for Matterport in your IdP
  3. All users need to login from IdP (i.e. IdP initiated login) for the first time to be auto provisioned. 
  4. Once provisioned, subsequent SSO logins are allowed from both IdP and the Single Sign-On link at https://my.matterport.com. 

SAML/SSO FAQs for end users 

My invitation link has expired - what do I do? 

Contact your IT administrator to request a new invitation. 

I’m a first-time user - how do I use SSO to sign in to Matterport? 

Contact your IT admin or account admin and request for Matterport access to be granted to your corporate email that is setup on your IDP (e.g. Okta/Ping). Once you have that, log in to Matterport using the email address provided using SSO. 

I’m an existing user - how do I use SSO to sign in to Matterport? 

If you already have an account you will receive an email from your organizations’ IT administrator - follow the instructions in the email to log in. 

What can I expect after SSO is enabled? 

Your old account credentials will no longer work. Roles, associated access permissions, and models from your old account will be accessible using your SSO credentials. 

I’m receiving error messages while logging into Matterport using SSO - what do I do? 

Verify with your IT administrator that your access to Matterport application is active and has no issues with your IDP. If that does not resolve, reach out to Matterport support. 

Questions on pricing for Enterprise subscriptions

Reach out to Matterport sales.

Can I add additional SSO enabled users to my account beyond my subscription limits?

Yes. You can purchase additional SSO enabled user packs . Reach out to Matterport sales

Have more questions? Submit a request