Available for: Business Plan, Enterprise Plan
Required role: Company Admins
š” It is strongly recommended to configure SSO in a separate incognito mode window of your browser. This way, you keep the session in the standard window, allowing you to switch off the SSO authorization in case something is misconfigured.
If you wish to set up a test instance before enabling SSO on production, please reach out to the Support Team for assistance. Only those who configure SSO will be added to this test instance.
ā ļø See our main SSO article here for rules, supported features and optional configuration on the Miro end.
Adding and configuring the appĀ
Ā 1. Find the Miro pre-configured application in Entra ID Enterprise Application Gallery (Enterprise Applications > +New Application).
2. Create the application and click 2. Set up single sign-on (or select Single sign-on from the left side and select the SAML sign-on method).
3. You will see that the Basic SAML Configuration is already in place:
ā ļø if after everything is set up the SSO login fails, try changing the Entity ID from https://miro.com to https://miro.com/Ā
ā ļø Sign-on URL, Relay State and Logout URL (For Single Sign-Out) must be left empty since these functionalities are not supported.Ā
The Attributes & Claims are also already in place:
ā ļø Note that:
a) the UPN will become the main parameter by which a user in Miro will be recognized and this parameter will not be updateable from the Entra side. When you need to update user emails in Miro without using SCIM, please reach out to our support team.Ā
b) Miro will accept GivenName, Surname, DisplayName and ProfilePicture. Other attributes are not supported via SSO but can be transferred via SCIM.
Ā
Creating the Certificate
1. In Microsoft Entra,Ā ensure that the SAML Signing Certificate >Ā Signing Option is either Sign SAML Assertion or Sign SAML response and assertion.Ā
2. Download the Base64 file.Ā
Configuring SSO in your Miro plan
1. Open the Base64 downloaded file in a text editor, and then copy the x509 certificate from the file.
2. In Miro, under Security > Authentication, paste the copied x509 certificate into the Key x509 certificate box.
3. In the Microsoft Entra settings UI, copy the Login URL, and then go to the Miro Security > Authentication page, and paste it into the SAML Sign-in URL box.
4. In the Miro Security > Authentication page, on the Users from these domains will sign in using SSO section, ensure that you add at least one company domain.
ā ļø In Miro, ensure Sync profile photos from IdP is not checked. Entra ID does not support syncing user profile photos. WhenĀ Sync profile photos from IdP is not checked, users are able to set their own profile photos.
5. Click Save.
Your SSO configuration is now complete.
Ā
Configuring claims when UPN and Email differ
You can configure the settings to use any Entra attribute which is in the email format as the NameID in Miro.Ā
IDP- and SP-initiated logins
For IDP-initiated login, Entra sends Miro the value you decide to use as the NameID (user.mailĀ in the example below).Ā
With this flow, your end-users access Miro via the icon on their portal console (for example atĀ https://myapplications.microsoft.com/). From there a request is sent to Miro andĀ the user is logged in using theĀ NameIDĀ you defined.Ā Miro will expect this attribute to match the user'sĀ emailĀ in Miro. A mismatch will result in failed authentication.
For SP-initiated login, Miro will send a request specifically for the user'sĀ UPNĀ and will expect it to match the user'sĀ email in Miro. A mismatch will result in failed authentication.Ā
Now, theĀ SAML Sign-in URL field in your Miro settingd is expected to contain the Login URLĀ of the Miro app of your Entra instance. This will be the URL Miro will direct the user to from theĀ Miro Login page.
When the user is directed to the Login URL from the app, the SAML request is generated. With this flow, the user is logged in with the email address that the user entered on the Miro login page and which Miro then requests from Entra requiring it to be the UPN attribute.Ā
How to set up
To allow your users to access Miro with their Entra's Email rather than UPN you can fill out the SAML Sign-In URL field in Miro with the URL of the app from the Entra console. Then the SP-initiated flow will be as follows:
- The user accesses Miro entering their Miro email which is the email they have in Miro. Miro understands that the person should be logged into the defined user profile.Ā
- The user is directed to their app link that is used for the IDP-initiated login.Ā
- The link utilizes theĀ NameIDĀ attribute that you defined and sends it to Miro.
- The user is therefore logged into Miro into the previously defined user profile with the NameID you defined.
If you'd like to also enable auto-provisioning for Miro, check out this article.
If you encountered any issues during configuration, please check out this article.
Entra testing tool
To get to the testing tool, choose the Single Sign-In tab in the settings of your application and scroll down to the bottom of the section.
Entra suggests using the test login process to check the connection and troubleshoot an error message. After the test, you will be given instructions on how to solve the situation.
Please keep in mind which credentials managed by Entra/ADFS your workstation is authenticated with. If you are trying to use a different set to log into Miro the login attempt may fail, as the Identity Provider will transfer your main set of credentials and there will be a mismatch. For instance, this can happen if you are the SSO administrator and test the login procedure under different user credentials.
Alternatively, you can test in Miro
- Complete the steps above to configure your SSO settings.
- Click the Test SSO configuration button.
- Review the results:
- If no issues are found, a confirmation message SSO configuration test was successful will be displayed.
- If issues are found, a confirmation message SSO configuration test failedĀ will be displayed, followed by detailed error messages to guide you on what needs to be fixed.