Single Sign-On (SSO) is an authentication service that enables users to access multiple applications with one set of login credentials, for example, a username and password. It helps system administrators manage user access more effectively across your organization. Single Sign-On is available in Mews to help simplify managing user logins and access permissions.  

 

If you are part of a chain or multi-property enterprise and have questions about SSO, contact your Mews Customer Success Manager for assistance. 

 

 

Mews currently supports the following enterprise providers:    

• Active Directory/LDAP
• ADFS
• Azure Active Directory Native
• Google Workspace
• OpenID Connect
• Okta  
• PingFederate
• SAML  
• Azure Active Directory      

 

In this article you can learn about the following: 

• Prerequisites for setting up Single Sign-On SSO  
• How to set up Single Sign-On (SSO) in Mews Operations. 
  • Enter Single Sign-On (SSO) configuration settings 
  • Configure user domains 
  • Update connection settings 
• How to update your Single Sign-On (SSO) Secret key

 

Prerequisites for setting up Single Sign-On (SSO)   

Mews now requires the User Principal Name (UPN) claim for all Azure AD customers using Single Sign-On (SSO): 

• The UPN claim replaces email-based authentication, helping prevent potential unauthorized logins. 
• This does not impact users authenticating via Google Workspace or Okta. 

Before configuring SSO in Mews Operations, ensure that UPN is enabled in your Azure AD setup. Follow the steps in the Azure AD documentation to enable this setting. 

 

To configure Single Sign-On (SSO) in Mews Operations, you need to complete the steps in How to prepare for setting up Single-Sign-On or SSO for your Mews account.

 

How to set up Single sign-on (SSO) in Mews Operations

To set up Single Sign-On (SSO) in Mews Operations: 

1. On the main screen, go to your account icon, then type in the search bar to select your portfolio account, or the portfolio that the Mews team set up for you:  

2. In your portfolio, go to the main menu  > Settings > Property > Security. 
3. In the Single sign-on (SSO) section, click Configure SSO. 

Enter Single Sign-On (SSO) configuration settings 

To configure the Single Sign-On (SSO) settings for your account, you need to create a valid OpenID connection with our identity provider Auth0, and configure the UPN claim in Azure AD.

 

Note: To find your IDP information required for the following steps, you can consult the help articles from your IDP provider, for example, Microsoft or Google.

 

Configure UPN claim in Azure AD 

Note: This requirement applies only to Azure AD. It does not affect Google Workspace or Okta SSO integrations. 

To ensure secure authentication, Mews now requires the User Principal Name (UPN) claim as part of the SSO login flow for Azure AD customers. 

To configure the UPN claim in Azure Active Directory (Azure AD): 

1. In the Azure portal, go to Azure Active Directory > Enterprise applications. 
2. Select the application for which you want to configure optional claims. 
3. Under Manage, select Token Configuration. 
4. Select Add optional claim. 
5. Choose ID token type. 
6. From the list of claims, select upn. 
7. Click Add to confirm. 

Once configured, Azure AD passes the UPN attribute to the system during login, ensuring secure authentication in Mews. 

 

You can now create an OpenID connection with Auth0.

To do so, you need to: 

1. Select the Identity Provider, for example, Microsoft Azure or Google Workspace.  

 

2. Enter the following mandatory information:  
   1. Identity provider domain, for example, example.onmicrosoft.com
   2. Client/ App ID 
   3. Secret key
   4. Expiration date. Note: You can click the calendar icon to select the date. Ensure you choose the same date notation, for example, MM/DD/YYYY, as your IDP layout may differ from how your account displays dates. 
   5. Email addresses: Type to enter one or more email addresses to get notified before the secret key expires.  
   6. Copy the Redirect URL into your Identity Provider
3. Click Next. 

 

Configure user domains 

You can now configure your user domains for which you want to enforce or make optional the SSO login. You can choose to enable SSO for all domains by selecting the Select all option from the dropdown menu.

Note:  

• Only domains associated with your current active users are listed here.  
• You ned to select at least 1 user email domain. 

 

To do so:  

1. On the User domains screen, click the User domains* dropdown, to select the users for which you want to enforce SSO. You can select multiple, or select Select all to enable SSO for all domains:  

2. After selecting your User domains, click the SSO Required slider switch alongside each domain to enforce login as needed: 

3. Click Enable SSO to finish the process and activate the connection. 
4. The system displays the following success message:  

 

This completes the configuration for Single Sign-On (SSO) in your Mews account.  

Once your Single Sign-On (SSO) is enabled and active, you can view the SSO setup status and update the connection settings by clicking View setup and following the steps below. 

 

Update connection settings 

To update your Single Sign-On (SSO) connection settings: 

1. Click Show details in the Single sign-on (SSO) section: 

2. In the side panel that opens, click   to choose from the following options:  

• Edit OpenID settings: Update OpenID configuration settings. 
• Edit secret key: Change the secret key and its expiration date. 
• Edit email domains: Add or remove user email domains and adjust the SSO Required slider switch to enforce SSO for specific domains. 
• Deactivate SSO: Deactivate the SSO connection. 

3. Click Save.
4. The system displays a success message stating Changes saved.  

 

This updates your configuration. You can see an overview of your OpenID settings and SSO enabled Email domains, as below: 

 

Note: If you encounter issues while setting up or using SSO, contact your Mews Customer Success Manager. 

 

How to update your Single Sign-On (SSO) Secret key

Your Single Sign-On (SSO) secret key is a confidential code that securely connects Mews with your identity provider by verifying login requests and protecting user access. Store it securely to prevent unauthorized access. Only portfolio Admins or those with SSO setup access can update the secret key. To minimize security risks, you need to tightly control access to the key and limit it to specific roles or individuals.

 

To guarantee the security and continuity of SSO logins to your Mews account, you must update your SSO Secret key before it expires. The system sends an email reminding you to update 30 days, and 14 days, before your Secret key expires, as below. An informative banner notification displays in the system 7 days before the expiration date.  
 

Note: Once the secret key expires, users can no longer log in with the SSO flow and need to enter their password until you configure a new key.

To update your Single Sign-On (SSO) secret key: 

1. Access your identity provider to generate a new SSO Secret key. To do so, you can consult the help articles from your IDP provider, for example, Microsoft or Google. 
2. In Mews Operations, go to the main menu > Settings > Property > Security. 
3. In the Single sign-on (SSO) section, select Show details. 

4. Click then select Edit secret key.
5. In the Edit secret key (SSO) side panel that opens, copy and paste the new secret key from your identity provider into the Secret key* field, as below:   

6. Click the Expiration date* field to manually enter a new expiry date or select from the date-picker.
7. In the Email addresses* field, type to update existing or enter new email addresses to get notifications before the secret key expires.
8. Click Save.  

 

This updates your SSO Secret key. 

 

 

You can learn more about securing your Mews user accounts here.