Settings and account management

Your Settings page is where you can manage the account's profile information, billing and authentication methods, and apps connected to your Mapbox account. To access the Settings page, log into your account and navigate to account.mapbox.com/settings. For accounts using SAML Single-sign on, only users with the Root role assigned in their identity provider can access and update settings.

Profile

All users who login to an account with the account's master password can access and update the account's settings. Alternatively, if your account has enabled SAML Single sign-on authentication, there are two user roles that are available: Root and Admin, which are assigned to users in an identity provider like Okta. Only users with the Root role will be able to access and update settings as described below.

Add or change an account's organization name

If you add an organization name in your Settings, this value is included in the header of the account's invoices

  1. Log in and navigate to your Account settings page, and click the Profile tab.
  2. Enter the new or updated organization name and click Save changes.

Change an account's email address

  1. Log in and navigate to your Account settings page, and click the Profile tab.
  2. Enter the new email address and click Save changes.

Change an account's username (not possible)

It's not possible to change your username. Doing so would break links to your maps and could cause unanticipated problems.

Instead, you can create a new account, transfer your map styles, and update your web and mobile applications to reference the new account's tokens and styles. Once this transition is complete, you can delete the original account without breaking any links to your maps. For more information about setting up an account for collaboration or preparing for an ownership transition, see our guide for collaboration.

Please contact support with questions or feature requests about an account's profile settings.

Delete your account

You can delete your account by scrolling to the bottom of your Account settings and clicking the Delete account button.

When you delete an account, the change is effective immediately and all maps and data are removed:

  • Projects and data associated with your account will no longer be available.
  • You will not be able to use the account to log in to Mapbox.
  • We won't automatically prorate for unused services.
  • Deleting your account is permanent. We will not be able to recover your account if you change your mind.
  • You will not be able to create an account with the same username again.

Password

Change your password

  1. Log in and navigate to your Account settings.
  2. Enter your current password and new password in the appropriate fields.
  3. If you have two-factor authentication enabled, enter your two-factor authentication code.
  4. Click Save new password.

Reset your password

If you're having trouble logging in, try resetting your password by providing the email address that's associated with your Mapbox account. We'll send you an email with further instructions.

The link you'll receive in your password reset email is only valid for 24 hours. If you receive an Invalid token error message or have waited more than 24 hours, you'll need to request another password reset email.

If you don't remember your email address or you're having other access problems, contact our support team and we'll look into it.

Sometimes, password reset emails are undeliverable especially for inactive email addresses. If you are not receiving the password reset email, let us know.

Security

An account's Security Settings page is where you can enable two-factor authentication or SAML Single sign-on for the account.

Two-factor authentication

Two-factor authentication (2FA), also known as multi-factor authentication (MFA) or two-step authentication, provides an optional, but recommended, layer of security to your account. Once enabled, you'll be prompted to enter your password as well as a security code generated on your mobile device whenever you log in.

Enable two-factor authentication

When you're logged in to your account, you can enable two-factor authentication from your Security page.

Your Security page will include a barcode which you'll be prompted to scan with your mobile device.

Scan the generated barcode using an authenticator app on your mobile device. We recommend using Google Authenticator - it's free and available for iOS and Android. For a Windows phone, use the Authenticator app.

Your mobile device will display a 6-digit code. Type this code into the field below the barcode to complete the process.

Use a recovery code to access your account without your two-factor device

After you've set up two-factor authentication on your account, you will be redirected to a page with a recovery code. A recovery code is a single-use code that lets you sign in without your two-factor device.

Write down this code and keep it in a safe place. Treat your recovery code like a password to your account. If you lose your mobile device, you will need this code to log in to your account.

If you have already set up two-factor authentication on your account and do not have a recovery code, go to your Security page to generate and retrieve your recovery code.

To use the code, you'll need your username or email and your password. To use your recovery code:

  1. Navigate to the Sign in page.
  2. Enter your username and password and click Sign in.
  3. Click the Lost your mobile device? link below the Sign in button. A new field will appear.
  4. Enter your recovery code in the new field and click Sign in.

Using your recovery code will temporarily disable two-factor authentication and give you a chance to configure a new two-factor authentication device.

Regain access after losing your recovery code

If you do not have your recovery code, you must have a payment method on file so we can verify your account and remove two-factor authentication. Contact our support team to get started.

Single Sign-on authentication (SSO)

Public beta

SAML Single sign-on (SSO) is in public beta and is subject to potential changes.

Manage your organization's access to Mapbox accounts while adding another level of security with SAML Single sign-on (SSO). SSO enables members of your organization to authenticate into a mapbox.com account through any trusted, third-party identity provider that supports the SAML2.0 protocol.

SAML SSO capabilities

Supports:

Does not support:

  • OAuth, OpenID Connect, Kerberos, other protocols
  • Service provider (SP) initiated login
  • Identity provider (IdP) initiated single logout
  • Nested sub-account hierarchy of separate, connected accounts
  • Multiple identity providers
  • Domain control or domain lockout

Setting up SAML SSO for your Mapbox account

The setup workflow for each identity provider can be unique, but there are general themes:

  1. Login to the Mapbox account you want to set up with SSO authentication
  2. In your identity provider (IdP), create a new SAML application
  3. Copy and paste the required details in the Configure your identity provider section of the Mapbox SSO setup page into your IdP’s configuration workflow
  4. Add the user roles as a custom attribute in your IdP
  5. Copy and paste the required details from your identity provider in the Setup SAML single sign-on for Mapbox section of the SSO setup page
  6. Click Enable single sign-on to save your integration
  7. Assign users to your application in the IdP
  8. Assign roles to the users
  9. Test that the SAML authentication is working as expected

Have questions about setup? See the sections below for more details about each step, or submit a support request to get in touch with our team.

Configuring your identity provider

Log into your identity provider with the required administrative privileges, then create a custom SAML2.0 application for Mapbox. If you're an Okta user, read their How to configure SAML for Mapbox guide to get started.

In this new application, enter the following required information from the Mapbox SSO setup page:

  • Single sign-on URL, also could be referred to as the SSO URL, Assertion Consumer Service (ACS) URL, Reply URL, Callback URL, or Post-back URL in your IdP
  • Audience Restriction, also could be referred to as Audience URI, SP Entity ID, or Identifier in your IdP
  • The application username must be in email format
  • The SHA256 encryption algorithm is required

Configuring user roles in your identity provider

Through SAML SSO you can assign users roles that provide certain permissions in the Mapbox Account app and Mapbox Studio that are also enforced by all Mapbox APIs. User roles are assigned in the identity provider and transferred to Mapbox in the SAML assertion. The available user roles are:

RolePermissionsTypical users
RootUsers with the Root role can read and write to account settings and can read and write to all resources and APIs.IT Admins, Product Owners, CTOs
AdminUsers with the Admin role can read and write to all resources and APIs. They cannot read or write to account settings.Developers, Designers, Project contributors

Many identity providers use custom attributes and attribute statements for roles. Typically, roles can be assigned to individuals or groups. Consult the documentation for your specific IdP, such as the Okta documentation for Mapbox SAML apps for details.

Contact our team with questions about these user roles or to share feedback about which roles you'd like to see next.

Completing SAML SSO setup for Mapbox

To complete the initial connection between your identity provider and mapbox.com, enter the following required information in your Mapbox account's SSO setup page:

  • Identity Provider sign-on URL, also could be referred to as SSO URL or SAML endpoint in your IdP
  • IssuerID, also could be referred to as Entity ID, Issuer, or Issuer URL in your IdP
  • X.509 Certificate, pasted as text into the field

Be sure to include — BEGIN CERTIFICATE — and — END CERTIFICATE — when pasting your X.509 certificate into the Mapbox form.

Click Enable single sign-on to submit the form.

Validating the SAML SSO integration

Once you have saved the integration, return to your identity provider to assign the application to yourself for testing. When assigned, try clicking the tile, chiclet, or link for your Mapbox app to login. From the Mapbox account, you can also click the test SAML configuration button in the Security settings to login with SSO.

Enforcing SAML SSO authentication

Enabling SSO for an account does not invalidate password authentication. Any users logging in with the password (and optional 2FA) will assume the Root user role. The account's master password is still a valid authentication method to make sure your transition period is seamless and Root users have direct access to the account if your identity provider has an outage.

To encourage your users to login to Mapbox through your identity provider, we recommend the following:

  • Assign yourself the Root user role in your IdP so you will have access to settings
  • Assign most others the Admin user role so they will not have access to settings
  • Change the email for the account to an email address that the Root user(s) can access
  • Change the password for the account
  • Save the new password in a safe location with limited access (identity provider, shared password manager, or IT vault)
  • If 2FA is enabled for the account, either turn it off or save the recovery codes with the new password

These changes should effectively push all the Admin users to authentication with Single sign-on, as they'll no longer have the password.

GDPR compliance

Mapbox Services are fully compliant with GDPR. For more information, read our DPA and subprocessors pages.

Mapbox is also Privacy Shield certified and can be found on privacyshield.org.

If you have any questions after reviewing those documents, let us know.

Was this page helpful?