Metoro provides flexible authentication options to securely manage access to your observability platform. This guide covers the available authentication methods and how to configure Single Sign-On (SSO) for your organization.

Standard Authentication

Metoro’s standard authentication system provides a comprehensive set of features for secure access management:

Authentication Methods

  • Email and Password - Traditional email-based authentication with secure password management
  • Social Sign-On - Quick authentication using Google, GitHub, or Microsoft accounts
  • Magic Links - Passwordless authentication via email links
  • Passkeys - Device-based authentication using WebAuthn for enhanced security

Security Features

  • Multi-factor Authentication (MFA) - Optional second factor authentication for enhanced security via authenticator apps
  • Session Management - Secure session handling with automatic timeout and refresh
  • Password Policies - Enforced strong password requirements and regular rotation reminders
  • Account Recovery - Self-service password reset via email verification

User Provisioning

New users can join your organization through:
  • Email Invitation - Administrators invite users via email with a specific role assignment
  • Automatic Provisioning - Users are automatically provisisioned when they authenticate via SSO / SAML (if configured) with default roles assigned

SAML Single Sign-On (SSO)

SAML SSO allows your organization to use your existing identity provider (IdP) for authentication, providing a seamless and secure login experience for your users.

Benefits of SAML SSO

  • Centralized Authentication - Users authenticate through your organization’s identity provider
  • Enhanced Security - Leverage your existing security policies and MFA requirements
  • Simplified User Management - Manage user access from your IdP without manual provisioning
  • Improved User Experience - Users sign in once to access all integrated applications

Supported Identity Providers

Metoro supports integration with all SAML 2.0 compliant identity providers, including:
  • Okta
  • Azure Active Directory
  • Google Workspace
  • Custom SAML 2.0 providers
  • Custom OIDC providers
  • Google via EASIE
  • Microsoft via EASIE

Enabling SAML SSO

SAML SSO requires configuration by the Metoro support team. This ensures proper setup and security validation for your organization.
To enable SAML authentication for your organization:
  1. Contact our support team at support@metoro.io.
  2. Provide your identity provider details and SAML metadata
  3. Our team will configure the SAML connection and provide you with the necessary configuration details
  4. Test the integration with a pilot group before organization-wide rollout

Default SAML Role Configuration

When SAML is enabled, you can configure a default role that will be automatically assigned to users who sign in through SAML for the first time. This ensures new users have appropriate access immediately upon authentication. To configure the default SAML role:
  1. Navigate to SettingsUsers and RolesSAML Settings
  2. Select the default role from the dropdown menu
  3. Click Save Default Role to apply the configuration
The default SAML role helps streamline user onboarding by automatically granting appropriate permissions to new SSO users. You can still manually adjust individual user roles after they’ve been provisioned.

SAML User Provisioning Flow

When a user authenticates via SAML:
  1. First-time Sign In:
    • User authenticates with your identity provider
    • Metoro creates a new user account automatically
    • The configured default SAML role is assigned
    • User gains immediate access based on role permissions
  2. Subsequent Sign Ins:
    • User authenticates with your identity provider
    • Metoro validates the SAML assertion
    • User session is created with existing permissions
    • Any role changes made in Metoro are preserved

Managing SAML Users

SAML users are managed the same way as regular users once they’re provisioned:
  • Roles can be modified through the Users settings page
  • Additional roles can be assigned beyond the default SAML role
  • Users can be deactivated without affecting their IdP account
  • Permissions are enforced based on assigned Metoro roles
Removing a user from your identity provider will prevent them from signing in to Metoro, but their Metoro account will remain active. To fully remove all traces of a user, you must also delete their account in Metoro.

Mapping Identity Provider (IdP) groups to Metoro Roles

Your Metoro account Role management settings must be configured to allow role mapping from IdP. **Please contact Metoro support if you need to use this feature. **
If your identity provider supports custom group claims, you can map these groups to specific Metoro roles by using public_metadata_metoro_role attribute key. This allows you to automatically assign roles based on the user’s group membership in your IdP. Consider the following scenario:
  1. There is a Customer Success group in your IdP that contains users that you want to assign the read-only role you created in Metoro.
  2. For the Customer Success group in your IdP, you can set the public_metadata_metoro_role attribute to read-only.
  3. When users from the Customer Success group authenticate via SAML, they will automatically be assigned the read-only role in Metoro.
Ensure that the public_metadata_metoro_role attribute is set correctly in your IdP for each group you want to map to a Metoro role. If the attribute is not set, users will receive the Default SAML User Role configured in Settings -> Users -> SAML Settings.
Depending on your IdP, these steps may vary. Please refer to your IdP’s documentation for details on how to set custom attributes/group claims or contact Metoro support for assistance. Here is an example of how to send the public_metadata_metoro_role attribute with Metoro role information in Okta:

Mapping Groups in Okta to Metoro Roles

You must contact Metoro Support to allow this feature for your account.
Prerequisites:
  1. Working SAML integration with Okta and Metoro.
  2. The roles that you want to map to groups in Okta must already exist in Metoro. Please refer to the Roles documentation for more information on creating roles.
  3. Your Metoro account Role management settings must be configured to allow IdP role mapping. Please contact Metoro support if you need to allow IdP role mapping for your account.
We are going to follow three main steps to send metoro role set in Okta to Metoro:
  1. Create an App User attribute, called metoro_role, on the SAML app in Okta
  2. Set the attribute metoro_role value per group while assigning groups to the Metoro SAML app
  3. Emit the value for public_metadata_metoro_role in the SAML assertion

Step 1: Create an App User Attribute

  1. Log in to your Okta Admin Console.
  2. Navigate to Directory → Profile Editor → App User AttributesUsers tab → Select the Metoro SAML app.
  3. In the Attributes section, click Add Attribute.
  4. Fill in the following details:
    • Data Type: string
    • Display Name: Metoro Role
    • Variable Name: metoro_role
    • Description: The role assigned to the user in Metoro
    • Attribute length: Greater than 0 (or you can set a specific length/enums if needed)
    • Attribute type: Group
  5. Click Save to create the attribute.

Step 2: Set the Attribute Value per Group

  1. Navigate to Applications from the Side Menu and select Applications sub-menu.
  2. Select the Metoro SAML app from the list.
  3. Go to the Assignments tab.
  4. In the table, select the Groups tab/filter. You will see a list of groups assigned to the Metoro SAML app.
  5. Edit each group and set the metoro_role attribute value to the corresponding Metoro role you want to assign. For example:
    • For the Customer Success group, set metoro_role to read-only.
    • For the Engineering group, set metoro_role to full-access.
  6. Click Save to apply the changes.

Step 3: Emit the Value in the SAML Assertion

  1. Navigate to Applications from the Side Menu and select Applications sub-menu.
  2. Select the Metoro SAML app from the list.
  3. Go to the General tab.
  4. Scroll down to the SAML Settings section and click Edit.
  5. Click Next until you reach the SAML SettingsAttribute Statements section.
  6. Click Add Another in the Attribute Statements section.
  7. Fill in the following details:
    • Name: public_metadata_metoro_role
    • Value: appuser.metoro_role_name
    • Name format: Unspecified
The attribute name should be public_metadata_metoro_role as Metoro specifically looks for it in the claims.
  1. In the Preview the SAML assertion generated from the information above section, when you click on Preview you should see the public_metadata_metoro_role attribute with the value you set in the previous step.
  2. Click on Next and then Finish to save the SAML settings.
The next time a user from the assigned group logs in, Metoro will automatically assign them the role specified in the public_metadata_metoro_role attribute.

Troubleshooting

Cannot sign in with email/password
  • Verify the email address is correct
  • Use the password reset feature if needed
  • If your organization uses SAML authentication, you will no longer be able to use your existing email/password to sign into Metoro
SAML authentication fails
  • Verify your IdP configuration is correct
  • Check that the user exists in your identity provider
  • Contact support if the issue persists
User doesn’t receive expected permissions
  • Verify the default SAML role is configured correctly
  • Check if additional roles need to be assigned manually
  • Review the role permissions in the Roles settings
For additional support with authentication configuration, please contact support@metoro.io.