Set up by: Company-level admin
It is strongly recommended to configure the feature in a separate incognito mode window of your browser. This way you keep the session in the standard window, allowing you to switch off the SSO authorization in case something is configured incorrectly.
If you wish to set up a test account before enabling SSO on production, please request it with your Account Executive or Sales representative. Only those who configure SSO will be added to this test account.
Adding and configuring the app
1. Find the Miro pre-configured application in Azure AD Enterprise Application Gallery (Enterprise Applications > +New Application)
2. Create the application and click 2. Set up single sign on (or select Single sign-on from the left side and select the SAML sign-on method.
3. You will see that the Basic SAML Configuration is already in place:
⚠️ if after everything is set up the SSO login fails, try changing the Entity ID from https://miro.com to https://miro.com/
⚠️ Sign-on URL and other fields are optional. Please note that Miro does not support Single Sign-Out.
The Attributes & Claims are also already in place:
⚠️ Note that:
a) the UPN will become the main parameter by which a user in Miro will be recognized and this parameter will not be updateable from the Azure side. When you need to update user emails in Miro without using SCIM, please reach out to our support team.
b) Miro will accept GivenName, Surname, DisplayName and ProfilePicture. Other attributes are not supported via SSO but can be transferred via SCIM.
Creating the Certificate
1. Scroll down to SAML Signing Certificate section and click to Add a certificate:
2. Click +New Certificate and choose the Signing Option = Signed SAML Assertion or Signed SAML response and assertion. Assertion must be signed.
3. Click Save.
4. Click More options for the certificate and first make the certificate active and then download the Base64 file.
Configuring SSO in your Miro account
1. Open the downloaded file in a text editor and copy-paste the x509 certificate from the file to the Miro respective Miro field in the SSO settings.
2. Scroll a bit lower in the Azure settings and find Login URL and paste it to SAML Sign-in URL in Miro.
3. Make sure that you have added at least one Company Domain before hitting Save button.
And that's all! Your SSO configuration is now complete.
Configuring claims when UPN and Email differ
You can configure the settings to use any Azure attribute which is in the email format as the NameID in Miro.
IDP- and SP-initiated logins
For IDP-initiated login, Azure sends Miro the value you decide to use as the NameID (user.mail in the example below).
With this flow, your end-users access Miro via the icon on their portal console (for example at https://myapplications.microsoft.com/). From there a request is sent to Miro and the user is logged in using the NameID you defined. Miro will expect this attribute to match the user's email in Miro. A mismatch will result in failed authentication.
For SP-initiated login, Miro will send a request specifically for the user's UPN and will expect it to match the user's email in Miro. A mismatch will result in failed authentication.
Now, the SAML Sign-in URL field in the settings of your Miro account is expected to contain the Login URL of the Miro app of your Azure instance. This will be the URL Miro will direct the user to from the Miro Login page.
When the user is directed to the Login URL from the app, the SAML request is generated. With this flow, the user is logged in with the email address that the user entered on the Miro login page and which Miro then requests from Azure requiring it to be the UPN attribute.
How to set up
To allow your users to access Miro with their Azure's Email rather than UPN you can fill out your account's SAML Sign-In URL field with the URL of the app from the Azure console. Then the SP-initiated flow will be as follows:
- The user accesses Miro entering their Miro email which is the email they have in Miro. Miro understands that the person should be logged into the defined user profile.
- The user is directed to their app link that is used for the IDP-initiated login.
- The link utilizes the NameID attribute that you defined and sends it to Miro.
- The user is therefore logged into Miro into the previously defined user profile with the NameID you defined.
If you'd like to also enable auto-provisioning for Miro, check out this article.
If you encountered any issues during configuration, please check out this article.