Set up by: Company-level admin
Miro's SAML-based single sign-on (or SSO) feature will provide your end-users with access to the Miro application through an identity provider (IdP) of your choice.
Miro also supports SCIM with any Identity Provider of your choice. For more information on that please reach out to email@example.com
- Configuring SSO
2.1 Configure your identity provider
2.2 Enable SSO option in Miro
2.2.1 Configure Just In Time Provisioning for new users (optional)
- Possible Issues and How to Resolve Them
Once SSO is enabled for the Enterprise account, the following rules apply to the end-users:
- The end-users with the corporate domains must log into Miro via SSO option using their identity provider credentials. Other authorization options (the standard login+password, Google, Facebook, Slack, and O365 buttons) are disabled.
- If an end-user is a member of team workspaces outside the Company umbrella they are still required to log in via SSO as soon as the Company enables this feature because their profile is connected to the secure company workspace.
- Non-Team Users (guests, independent contractors, etc.) that have access to certain Company boards are not required to authorize via SSO for as long as their user profile is not under one of the SSO-whitelisted corporate domains.
- The end-users are not allowed to change their passwords or edit their names, last names or profile pictures in Miro. The data are instead automatically attributed by your identity provider upon successful login.
NB: The email address change needs to first be made on the Miro side (please reach out to our support team for assistance) and then on the identity provider side before an end-user tries to use their new credentials to log into Miro. Our system recognizes the user by their email address - if the system is not notified about the change prior to the next login, the person will be recognized as a new user and will have a new profile registered instead of being logged into their existing profile.
Step 1: Configure your identity provider
Feel free to use any identity provider of your choice. The how-tos for the most popular identity platform solutions that provide a pre-configured Miro application link can be seen below:
Here you can also find the instruction for Auth0.
First, go to your identity provider's configuration panel and follow the provider's instructions to configure Single Sign-On.
Then be sure to add the following data (however, depending on the identity provider you may have more or fewer fields to be filled out. We recommend to skip optional fields or set everything to default values).
- Protocol: SAML 2.0
HTTP Redirect for SP to IdP
HTTP Post for IdP to SP.
- The service URL (SP-initiated URL) (aka Launch URL, Default Relay State, Reply URL, Relying Party SSO Service URL, Target URL, SSO Login URL, Redirect URL, Identity Provider Endpoint, etc): https://miro.com/sso/saml
- Assertion Consumer Service URL (Allowed Callback URL): https://miro.com/sso/saml
- Identifier (Entity ID, Relying Party Trust Identifier): https://miro.com/
- Signing Requirement:
Assertion - must be a signed SAML assertion
Response - may be assigned but this is not required
- SubjectConfirmation Method: "urn:oasis:names:tc:SAML:2.0:cm:bearer"
Identity Provider SAML-response must contain Public key x509 certificate issued by the Identity Provider.
Miro will accept:
- An unsigned SAML Response with a signed Assertion
- A signed SAML Response with a signed Assertion
Detailed examples can be found here.
User Credentials (Claim Types):
- Primary Attribute (aka SAML_Subject, Primary Key, Logon Name, Application username format, etc) - NameID: equals a user’s email address (please do not mix with EmailAddress which is usually a separate attribute).
- Additional attributes to be sent with the assertion: FirstName (GivenName), LastName (Surname)
ProfilePicture attribute (Base64 Encoded URL is also supported) can be added but is not required.
Again anything else can be set to default or unspecified.
Define these data in your identity provider will have all the necessary information for a successful SSO procedure.
Step 2: Enable SSO option in Miro
It is strongly recommended to configure the feature in incognito mode of your browser. This way you keep the session in the standard window, allowing you to switch off the SSO authorization in case something is configured incorrectly. If you wish to set up a test account before enabling SSO on production, please request it with your Account Executive or reach out to firstname.lastname@example.org for assistance. Only those who configure SSO will be added to this test account.
To enable SSO for your Miro Enterprise account, go to the Settings > Security, enable the SSO feature and specify the following values:
- SAML 2.0 Endpoint URL (in most cases it opens your Identity Provider's page where your end-users are to enter their credentials)
- Public Key x.509 Certificate (issued by your Identity Provider)
- The list of domains allowed to authenticate via your SAML server. Public domains (e.g. @gmail.com, @outlook.com, etc.) are not allowed
To finish click the Save button. After that, your end-users will be able to start using SSO authorization.
Just In Time Provisioning for new users (optional)
Help your end-users engage with Miro right away, without waiting for someone to invite them to the account or making them go through the full onboarding process and prevent creating trial and free accounts outside of your managed Enterprise umbrella.
⚠️ Miro JIT feature affects only newly-registered users. The users that already have an existing profile with Miro still require an invitation to your Enterprise account.
To enable the Miro JIT feature open your SSO settings > tick the respective box > and choose the designated team.
Enable Just in Time provisioning feature in the Security settings
All newly registered users from the domains that you list in the settings will be automatically added under your Enterprise Umbrella to this particular team when they sign up with Miro.
Possible Issues and How to Resolve Them
My domain addresses are not accepted in the SSO settings - `DomainName is busy` message.
- For security reasons, we support an organization's domain(s) in one Company umbrella (Enterprise account) only. It is possible that your domains are already set up in another Business plan or Enterprise plan account, preventing you from enabling SSO with the desired domain. Feel free to check it with your colleagues beforehand.
We need to change the email addresses of our end-users / We changed the emails of our users and now they are unable to access their boards.
- If your company is changing its domain name and therefore the email addresses of the end-users need a change of their SSO credentials please reach out to our support team for assistance.