Single Sign-On

Available for: Company, Business plans

Set up by: Company-level admin

Miro's SAML-based single sign-on (or SSO) feature will provide your end-users with access to the Miro application through an identity provider (IdP) of your choice.

Once SSO is enabled for the Company account, the following rules apply to the end-users:

1. The end-users with the corporate domains must log into Miro via SSO option using their identity provider credentials. Other authorization options (the standard login+password, Google, Facebook, Slack, and O365 buttons) are disabled.
   NB:
   - If an end-user is a member of team workspaces outside the Company umbrella they are still required to log in via SSO as soon as the Company enables this feature.
   - Non-Team Users (guests, independent contractors, etc.) that have access to certain Company boards are not required to authorize via SSO for as long as their user profile is not under one of the whitelisted corporate domains. 
2. The end-users are not allowed to change their passwords or edit their names, last names or profile pictures in Miro. The data are instead automatically attributed by your identity provider upon a successful login. 
   NB: The email address change needs to first be made on the Miro side (please reach out to our support team for assistance) and then on the identity provider side before an end-user tries to use their new credentials to log into Miro. Our system recognizes the user by their email address - if the system is not notified about the change prior to the next login, the person will be recognized as a new user and will have a new profile registered instead of being logged into their existing profile.

Feel free to use any identity provider of your choice. The how-tos for the most popular identity platform solutions that provide a pre-configured Miro application link can be seen below:

• OKTA - see the setup instruction here
• Azure AD by Microsoft - see the setup instruction here
• OneLogin
• AD FS by Microsoft

Configuring SSO

It is strongly recommended to configure the feature in incognito mode of your browser. This way you keep the session in the standard window, allowing you to switch of the SSO authorization in case something is configured incorrectly. If you wish to set up a test account before enabling SSO on production, please request it with your Account Executive or reach out to support@miro.com for assistance. Only those who configure SSO will be added to this test account.

Step 1: Configure your identity provider

First, go to your identity provider's configuration panel and follow the provider's instructions to configure Single Sign-On.

Then be sure to add the following data (however, depending on the identity provider you may have more or less fields to be filled out. We recommend to skip them or set to default values).

• Protocol: SAML 2.0
• Binding:
       HTTP Redirect for SP to IdP
       HTTP Post for IdP to SP.
• The service URL (SP-initiated URL) (Launch URL, Default Relay State, Reply URL, Relying Party SSO Service URL, Target URL, SSO Login URL, Redirect URL, Identity Provider Endpoint, etc): https://miro.com/sso/saml
• Assertion Consumer Service URL (Allowed Callback URL): https://miro.com/sso/saml 
• Identifier (Entity ID, Relying Party Trust Identifier): https://miro.com/  
• Signing Requirement: 
       Assertion - must be a signed SAML assertion
       Response - may be assigned but this is not required
• SubjectConfirmation Method: "urn:oasis:names:tc:SAML:2.0:cm:bearer"

User Credentials (Claim Types):

• Primary Attribute (Primary Key, Logon Name, Application username format, NameID, EmailAddress, etc):
  equals user’s email address.
• Additional attributes to be sent with the assertion: FirstName (GivenName), LastName (Surname)
  ProfilePicture attribute (Base64 Encoded URL is also supported) can be added but is not required.

Again anything else can be set to default or unspecified.

Identity Provider SAML-response must contain Public key x509 certificate issued by the Identity Provider.

Define these data in your identity provider will have all the necessary information for a successful SSO procedure.

Step 2: Enable SSO option in Miro

To establish the connection between Miro and your chosen identity provider you will need to upload your meta-data to the Miro system and not vice-versa.

To enable SSO for your Miro company account, go to the Settings > Security, enable the SSO feature and specify the following values:

1. SAML 2.0 Endpoint URL (in most cases it opens your Identity Provider's page where your end-users are to enter their credentials)
2. Public Key x.509 Certificate (issued by your Identity Provider)
3. The list of domains allowed to authenticate via your SAML server. Public domains (e.g. @gmail.com, @outlook.com, etc.) are not allowed

Step 3: Configure Just In Time Provisioning for new users (optional)

To enable this option, tick the box and choose a team. All newly registered users from the listed domains will be automatically added right to your Company Account to this particular team. Thus, they can use Miro from the very start, without waiting for someone to invite them to the team. We also adjust new users' onboarding flow to make sure they are not lost in creating trial team accounts.

Enable SSO/SAML page in the team account settings

NB: JIT processes do not affect them the users that already have a registered profile with Miro. Such users would still require an invitation.

To finish click the Save button. After that your end-users will be able to start using SSO authorization.

Possible Issues and How to Resolve Them

My domain addresses are not accepted in the SSO settings

• For security reasons, we support an organisation's domain(s) in one Company umbrella (Company account) only. It is possible that your domains are already set up in another Business plan or Company plan account, preventing you from enabling SSO with the desired domain. Feel free to check it with your colleagues beforehand.

We need to change the email addresses of my end-users / We changed the emails of our users and now they are unable to access their boards

• If your company is changing its domain name and therefore the email addresses of the end users need a change of their SSO credentials please reach out to our support team for assistance.