Available for: Business Plan, Enterprise Plan
Required role: Company Admins
š” It is strongly recommended to configure SSO in a separate incognito mode window of your browser. This way, you keep the session in the standard window, allowing you to switch off the SSO authorization in case something is misconfigured.
If you wish to set up a test instance before enabling SSO on production, please reach out to the Support Team for assistance. Only those who configure SSO will be added to this test instance.
ā ļø See our main SSO article here for rules, supported features and optional configuration on the Miro end.
Adding and configuring the appĀ
Ā 1. Find the Miro pre-configured application in Entra ID Enterprise Application Gallery (Enterprise Applications > +New Application)
Miro pre-configured application in Entra ID Enterprise Application Gallery
2. Create the application and click 2. Set up single sign-on (or select Single sign-on from the left side and select the SAML sign-on method).
Selecting a single sign-on method
3. You will see that the Basic SAML Configuration is already in place:
Basic SAML configuration
ā ļø if after everything is set up the SSO login fails, try changing the Entity ID from https://miro.com to https://miro.com/Ā
ā ļø Sign-on URL, Relay State and Logout URL (For Single Sign-Out) must be left empty since these functionalities are not supported.Ā
The Attributes & Claims are also already in place:
Attributes & Claims
ā ļø Note that:
a) the UPN will become the main parameter by which a user in Miro will be recognized and this parameter will not be updateable from the Entra side. When you need to update user emails in Miro without using SCIM, please reach out to our support team.Ā
b) Miro will accept GivenName, Surname, DisplayName and ProfilePicture. Other attributes are not supported via SSO but can be transferred via SCIM.
Ā
Creating the Certificate
1. Scroll down to SAML Signing Certificate section and click to Add a certificate:
2. Click +New Certificate and choose the Signing Option = Signed SAML Assertion or Signed SAML response and assertion. Assertion must be signed.Ā
Selecting signing option
3. Click Save.
4. Click More options for the certificate and first make the certificate active and then download the Base64 file.Ā
More options menu
Ā
Configuring SSO in your Miro plan
1. Open the downloaded file in a text editor and copy-paste the x509 certificate from the file to the Miro respective Miro field in the SSO settings.Ā
2. Scroll a bit lower in the Entra settings and find Login URL and paste it to SAML Sign-in URL in Miro.
Copy Login URL
Miro SSO settings
3. Make sure that you have added at least one Company Domain before hitting Save button.
And that's all! Your SSO configuration is now complete.
Ā
Configuring claims when UPN and Email differ
You can configure the settings to use any Entra attribute which is in the email format as the NameID in Miro.Ā
IDP- and SP-initiated logins
For IDP-initiated login, Entra sends Miro the value you decide to use as the NameID (user.mailĀ in the example below).Ā
User attributes and claims
With this flow, your end-users access Miro via the icon on their portal console (for example atĀ https://myapplications.microsoft.com/). From there a request is sent to Miro andĀ the user is logged in using theĀ NameIDĀ you defined.Ā Miro will expect this attribute to match the user'sĀ emailĀ in Miro. A mismatch will result in failed authentication.
For SP-initiated login, Miro will send a request specifically for the user'sĀ UPNĀ and will expect it to match the user'sĀ email in Miro. A mismatch will result in failed authentication.Ā
Now, theĀ SAML Sign-in URL field in your Miro settingd is expected to contain the Login URLĀ of the Miro app of your Entra instance. This will be the URL Miro will direct the user to from theĀ Miro Login page.
Miro SSO settings
When the user is directed to the Login URL from the app, the SAML request is generated. With this flow, the user is logged in with the email address that the user entered on the Miro login page and which Miro then requests from Entra requiring it to be the UPN attribute.Ā
How to set up
To allow your users to access Miro with their Entra's Email rather than UPN you can fill out the SAML Sign-In URL field in Miro with the URL of the app from the Entra console. Then the SP-initiated flow will be as follows:
- The user accesses Miro entering their Miro email which is the email they have in Miro. Miro understands that the person should be logged into the defined user profile.Ā
- The user is directed to their app link that is used for the IDP-initiated login.Ā
- The link utilizes theĀ NameIDĀ attribute that you defined and sends it to Miro.
- The user is therefore logged into Miro into the previously defined user profile with the NameID you defined.
If you'd like to also enable auto-provisioning for Miro, check out this article.
If you encountered any issues during configuration, please check out this article.
Ā
Entra testing tool
To get to the testing tool, choose the Single Sign-In tab in the settings of your application and scroll down to the bottom of the section.
Entra suggests using the test login process to check the connection and troubleshoot an error message. After the test, you will be given instructions on how to solve the situation.
Test page in the Entra portal/console
Please keep in mind which credentials managed by Entra/ADFS your workstation is authenticated with. If you are trying to use a different set to log into Miro the login attempt may fail, as the Identity Provider will transfer your main set of credentials and there will be a mismatch. For instance, this can happen if you are the SSO administrator and test the login procedure under different user credentials.
Alternatively, you can test in Miro
- Complete the steps above to configure your SSO settings.
- Click the Test SSO configuration button.
- Review the results:
- If no issues are found, a confirmation message SSO configuration test was successful will be displayed.
- If issues are found, a confirmation message SSO configuration test failedĀ will be displayed, followed by detailed error messages to guide you on what needs to be fixed.