Single Sign-On (SSO)

Available for: Enterprise, Business plans

Set up by: Company-level admin

Miro's SAML-based single sign-on (or SSO) feature will provide your end-users with access to the Miro application through an identity provider (IdP) of your choice.

Miro also supports SCIM with any Identity Provider of your choice. For more information on that please reach out to support@miro.com  

In this article: 

1. Rules
2. Configuring SSO
   2.1 Configure your identity provider
   2.2 Enable SSO option in Miro
   2.2.1 Configure Just In Time Provisioning for new users (optional)
3. Possible Issues and How to Resolve Them

Rules

Once SSO is enabled for the Enterprise account, the following rules apply to the end-users:

1. The SSO process is applied to the corporate domains that you add to the SSO settings. Your company account's end-users with the corporate domains must log into Miro via SSO option using their identity provider credentials.
   
   Other authorization options (the standard login+password, Google, Facebook, Slack, and O365 buttons) are disabled for them. 
   This also means that you can use the same Identity Provider configuration with multiple Miro Enterprise accounts for as long as different accounts claim different domains. However, you will only be able to provision via SCIM to one single Miro Enterprise account (since every Enterprise account has a unique token but your SCIM configuration will accept only one of them)
   NB: End-users with other domains are not required to use SSO and should instead log in using the standard methods. This scenario exists for guests, independent contractors, etc. which have access only to certain company boards and might not have profiles with your identity provider. 
2. If an end-user is a member of team workspaces outside the Enterprise umbrella they are still required to log in via SSO as soon as the feature is enabled. However, they will be able to access other teams and accounts. If you wish to also prevent your end-users from doing that, check out the Domain Control feature. 
3. The end-users are not allowed to change their passwords or edit their names, last names or profile pictures in Miro. The data are instead automatically attributed by your identity provider upon successful login.
   
   NB: The email address change needs to first be made on the Miro side (please reach out to our support team for assistance) and then on the identity provider side before an end-user tries to use their new credentials to log into Miro. Our system recognizes the user by their email address - if the system is not notified about the change prior to the next login, the person will be recognized as a new user and will have a new profile registered instead of being logged into their existing profile.

Configuring SSO

Step 1: Configure your identity provider

Feel free to use any identity provider of your choice. The how-tos for the most popular identity platform solutions that provide a pre-configured Miro application link can be seen below:

• OKTA - see the setup instruction here
• Azure AD by Microsoft
• OneLogin
• ADFS by Microsoft
• Auth0

Here you can also find an article on how to set up Jumpcloud, and here - Google Solution. 

First, go to your identity provider's configuration panel and follow the provider's instructions to configure Single Sign-On.

Then be sure to add the following data (however, depending on the identity provider you may have more or fewer fields to be filled out. We recommend to skip optional fields or set everything to default values).

Configuration specifications:

• Protocol: SAML 2.0
• Binding:
       HTTP Redirect for SP to IdP
       HTTP Post for IdP to SP.
• The service URL (SP-initiated URL) (aka Launch URL, Default Relay State, Reply URL, Relying Party SSO Service URL, Target URL, SSO Login URL, Redirect URL, Identity Provider Endpoint, etc): https://miro.com/sso/saml
• Assertion Consumer Service URL (Allowed Callback URL): https://miro.com/sso/saml
• Identifier (Entity ID, Relying Party Trust Identifier): https://miro.com/  
• Signing Requirement: 
       Assertion - must be a signed SAML assertion
• SubjectConfirmation Method: "urn:oasis:names:tc:SAML:2.0:cm:bearer"

Identity Provider SAML-response must contain Public key x509 certificate issued by the Identity Provider.

 Miro will accept:

1. An unsigned SAML Response with a signed Assertion
2. A signed SAML Response with a signed Assertion

Encryption is not supported. Detailed examples can be found here.

User Credentials (Claim Types):

• Primary Attribute (aka SAML_Subject, Primary Key, Logon Name, Application username format, etc) - NameID: equals a user’s email address (please do not mix with EmailAddress which is usually a separate attribute).
• Additional attributes to be sent with the assertion: FirstName (GivenName), LastName (Surname).
  The ProfilePicture attribute (Base64 Encoded URL is also supported) can be added but is not required.

Again anything else can be set to default or unspecified.

Define these data in your identity provider will have all the necessary information for a successful SSO procedure.

Step 2: Enable SSO option in Miro

It is strongly recommended to configure the feature in the incognito mode of your browser. This way you keep the session in the standard window, allowing you to switch off the SSO authorization in case something is configured incorrectly. If you wish to set up a test account before enabling SSO on production, please request it with your Account Executive or reach out to support@miro.com for assistance. Only those who configure SSO will be added to this test account.

To enable SSO for your Miro Enterprise account, go to the Settings > Security, enable the SSO feature and specify the following values:

1. SAML 2.0 Endpoint URL (in most cases it opens your Identity Provider's page where your end-users are to enter their credentials)
2. Public Key x.509 Certificate (issued by your Identity Provider)
3. The list of domains allowed to authenticate via your SAML server. Public domains (e.g. @gmail.com, @outlook.com, etc.) are not allowed

To finish click the Save button. After that, your end-users will be able to start using SSO authorization.

Just In Time Provisioning for new users (optional)

Help your end-users engage with Miro right away, without waiting for someone to invite them to the account or making them go through the full onboarding process and prevent creating trial and free accounts outside of your managed Enterprise umbrella. 
⚠️ Miro JIT feature affects only newly-registered users. The users that already have an existing profile with Miro still require an invitation to your Enterprise account. All users provisioned under JIT are assigned the default license of your subscription (a full license if you do not user Day passes, or an occasional license if you do).

To enable the Miro JIT feature open your SSO settings > tick the respective box > and choose the designated team.

Enable Just in Time provisioning feature in the Security settings

All newly registered users from the domains that you list in the settings will be automatically added under your Enterprise Umbrella to this particular team when they sign up with Miro. 

Possible Issues and How to Resolve Them

1. My domain addresses are not accepted in the SSO settings - `DomainName is busy` message.
   - For security reasons, we support an organization's domain(s) in one Company umbrella (Enterprise account) only. It is possible that your domains are already set up in another Business plan or Enterprise plan account, preventing you from enabling SSO with the desired domain. Feel free to check it with your colleagues beforehand.
   
   
2. We need to change the email addresses of our end-users / We changed the emails of our users and now they are unable to access their boards.
   - If your company is changing its domain name and therefore the email addresses of the end-users need a change of their SSO credentials please reach out to our support team for assistance.