3.1 Configuring Single sign-on

To ensure that your users can access Miro securely, configure Single sign-on (SSO). When a user submits their credentials to sign-in to Miro, Miro sends a request to your identity provider (IdP) to validate their credentials. If your IdP confirms their identity, then the user can access Miro.

You can connect your preferred identity provider to your Enterprise subscription, like Entra ID, Google SSO, and Okta.

More information: See Single sign-on (SSO). 

Before you configure Single sign-on

Prerequisites

Ensure that you complete the following prerequisites:

• Configure your identity provider (IdP) for Miro.
  The following list provides setup instructions for supported identity providers:
  • AWS
  • Okta
  • Google
  • Entra ID
  • OneLogin
  • Auth0

  • ADFS

    For Miro service-provider (SP) metadata that your IdP may require, see Miro metadata for Single sign-on configuration.

• Ensure you have the following information from your IdP:
  • SAML sign-in URL
  • Key x509 certificate

  • Callback URL

    NOTE: May also be called Assertion Consumer Service (ACS) URL, Relay State, Reply URL, or Replying Part Trust Identifier.

• (Optional) Create a break glass user.
  A break glass user is an account outside the SSO domain, like break.glass@gmail.com, with high privileges. In an emergency, like a service outage or cyber attack, your break glass user aids recovery. To learn more about break glass users, see Break glass privileged accounts for disaster recovery.

Configure Single sign-on 

1. In Admin Console, go to Security > Authentication.
2. Toggle Single sign-on (SSO) to the on position.
3. Add the following information from your IdP:
   1. SAML sign-in URL
   2. Key x509 certificate
   3. Callback URL | {IdP-specific term} 
      See Prerequisites.
4. (Optional) Click Test SSO configuration and follow the on-screen instructions to test your configuration.
5. Select any of your managed domains to provide SSO to users inside those domains.
6. (Optional) Tick Just-in-time provisioning (JIT) to select a default team for new users to join automatically when they register.
7. (Optional) Tick Sync user profile photos from IDP.
8. Click Save.

More information:

• Single sign-on (SSO)
  Learn more about testing, renewing, and optional settings for SSO.
• Two-factor authentication (2FA)
  Learn about adding an extra layer of security requiring two verification methods.
• Idle Session Timeout
  Learn about setting an upper limit for inactivity before a user is automatically logged out.

Next: 3.2 Setting up SCIM

To continue your Miro Enterprise configuration, set up SCIM.