Articles in this section

Single Sign-On

Cat Elle
  • Updated
Follow

Available for: Company, Business plans

Set up by: Company-level admin

Miro's SAML-based single sign-on (or SSO) feature will provide your end-users with access to the Miro application through an identity provider (IdP) of your choice.

Contents: 

  1. Rules
  2. Configuring SSO
    2.1 Configure your identity provider
    2.2 Enable SSO option in Miro
    2.2.1 Configure Just In Time Provisioning for new users (optional)
  3. Possible Issues and How to Resolve Them

Rules

Once SSO is enabled for the Company account, the following rules apply to the end-users:

  1. The end-users with the corporate domains must log into Miro via SSO option using their identity provider credentials. Other authorization options (the standard login+password, Google, Facebook, Slack, and O365 buttons) are disabled.
    NB:
    - If an end-user is a member of team workspaces outside the Company umbrella they are still required to log in via SSO as soon as the Company enables this feature because their profile is connected to the secure company workspace.
    - Non-Team Users (guests, independent contractors, etc.) that have access to certain Company boards are not required to authorize via SSO for as long as their user profile is not under one of the SSO-whitelisted corporate domains. 
  2. The end-users are not allowed to change their passwords or edit their names, last names or profile pictures in Miro. The data are instead automatically attributed by your identity provider upon successful login.
    NB: The email address change needs to first be made on the Miro side (please reach out to our support team for assistance) and then on the identity provider side before an end-user tries to use their new credentials to log into Miro. Our system recognizes the user by their email address - if the system is not notified about the change prior to the next login, the person will be recognized as a new user and will have a new profile registered instead of being logged into their existing profile.

Configuring SSO

Step 1: Configure your identity provider

Feel free to use any identity provider of your choice. The how-tos for the most popular identity platform solutions that provide a pre-configured Miro application link can be seen below:

Here you can also find the instruction for Auth0.

First, go to your identity provider's configuration panel and follow the provider's instructions to configure Single Sign-On.

Then be sure to add the following data (however, depending on the identity provider you may have more or fewer fields to be filled out. We recommend to skip optional fields or set everything to default values).

Configuration specifications:

  • Protocol: SAML 2.0
  • Binding:
         HTTP Redirect for SP to IdP
         HTTP Post for IdP to SP.
  • The service URL (SP-initiated URL) (Launch URL, Default Relay State, Reply URL, Relying Party SSO Service URL, Target URL, SSO Login URL, Redirect URL, Identity Provider Endpoint, etc): https://miro.com/sso/saml
  • Assertion Consumer Service URL (Allowed Callback URL): https://miro.com/sso/saml 
  • Identifier (Entity ID, Relying Party Trust Identifier): https://miro.com/  
  • Signing Requirement: 
         Assertion - must be a signed SAML assertion
         Response - may be assigned but this is not required
  • SubjectConfirmation Method: "urn:oasis:names:tc:SAML:2.0:cm:bearer"

Identity Provider SAML-response must contain Public key x509 certificate issued by the Identity Provider.

 Miro will accept:

  1. An unsigned SAML Response with a signed Assertion
  2. A signed SAML Response with a signed Assertion

Detailed examples can be found here.

User Credentials (Claim Types):

  • Primary Attribute (Primary Key, Logon Name, Application username format, NameID, EmailAddress, etc):
    equals a user’s email address.
  • Additional attributes to be sent with the assertion: FirstName (GivenName), LastName (Surname)
    ProfilePicture attribute (Base64 Encoded URL is also supported) can be added but is not required.

Again anything else can be set to default or unspecified.

Define these data in your identity provider will have all the necessary information for a successful SSO procedure.

Step 2: Enable SSO option in Miro

It is strongly recommended to configure the feature in incognito mode of your browser. This way you keep the session in the standard window, allowing you to switch off the SSO authorization in case something is configured incorrectly. If you wish to set up a test account before enabling SSO on production, please request it with your Account Executive or reach out to support@miro.com for assistance. Only those who configure SSO will be added to this test account.

To establish the connection between Miro and your chosen identity provider you will need to upload your meta-data to the Miro system and not vice-versa.

To enable SSO for your Miro company account, go to the Settings > Security, enable the SSO feature and specify the following values:

  1. SAML 2.0 Endpoint URL (in most cases it opens your Identity Provider's page where your end-users are to enter their credentials)
  2. Public Key x.509 Certificate (issued by your Identity Provider)
  3. The list of domains allowed to authenticate via your SAML server. Public domains (e.g. @gmail.com, @outlook.com, etc.) are not allowed

Configure Just In Time Provisioning for new users (optional)

To enable this option, tick the box and choose a team. All newly registered users from the listed domains will be automatically added right to your Company Account to this particular team. Thus, they can use Miro from the very start, without waiting for someone to invite them to the team. We also adjust new users' onboarding flow to make sure they are not lost in creating trial team accounts.

Enable SSO/SAML page in the team account settings

NB: JIT processes do not affect the users that already have a registered profile with Miro. Such users would still require an invitation.

To finish click the Save button. After that, your end-users will be able to start using SSO authorization.

Possible Issues and How to Resolve Them

My domain addresses are not accepted in the SSO settings - `DomainName is busy` message.

  • For security reasons, we support an organization's domain(s) in one Company umbrella (Company account) only. It is possible that your domains are already set up in another Business plan or Company plan account, preventing you from enabling SSO with the desired domain. Feel free to check it with your colleagues beforehand.

We need to change the email addresses of our end-users / We changed the emails of our users and now they are unable to access their boards.

  • If your company is changing its domain name and therefore the email addresses of the end-users need a change of their SSO credentials please reach out to our support team for assistance.

Related articles