Set up by: Company Admins
💡 It is strongly recommended to configure SSO in a separate incognito mode window of your browser. This way, you keep the session in the standard window, allowing you to switch off the SSO authorization in case something is misconfigured.
If you wish to set up a test instance before enabling SSO on production, please request it with your Account Executive or Sales representative. Only those who configure SSO will be added to this test instance.
⚠️ See our main SSO article here for rules, supported features and optional configuration on the Miro end.
Setting up Okta
Adding and configuring the app
Click the Applications tab and choose to Browser App Catalogue:
Applications section in Okta
Find our preconfigured app for easy setup and click to Add it:
Miro in the Okta app catalogue
Give the app in your gallery the label you prefer (other steps are optional) and click Next to switch to the Sign-On options tab:
Miro app's general settings
In the Sign-On Options all the values we expect are already filled and no additional data are required.
⚠️ You may add customized values if you prefer, but make sure that the Default Relay State is kept empty: our standalone apps employ redirection to the end-user's browser during the authentication procedure and generate unique RelayState values for that. If you use a Default value, Okta will overwrite our data and your users will only be able to access Miro's browser version, but not any standalone apps (desktop, tablet, mobile).
Click to Finish. You will be able to go back and edit any fields later if need be.
💡 The Application username format is by default set to Okta Username which is okay if your Username is in the email format. Alternatively set the Username to Email.
⚠️ Email is the primary ID by which the user is recognized in Miro and should not be updated on the Okta's end unless you have SCIM enabled. If you don't use SCIM but need to update your end user's addresses, please reach out to our Support team.
Configuring Profile Pictures (optional)
Setting up a custom attribute like ProfilePicture can be considered a separate process. Please follow this guide to set up the attribute on the Okta end and then enable ProfilePicture requirement on the Miro end.
Setting up Miro
Scroll down to SAML Signing Certificates to get the IDP metadata. If you do not have any issued certificates, first create one.
After that click Actions and choose to View IdP metadata like so:
Getting the IdP metadata
You will be directed to a separate tab that containsall the information. Copy the certificate from the line starting with <ds:X509Certificate> and paste it to Miro SSO Settings in Key x509 Certificate field.
Key x509 certificate in Miro SSO settings
Go back to the metadata page and copy the URL from SingleSignOnService line after Location= and paste it to SAML Sign-in URL.
You are all set!
If you meet any issues, please check out our list of common cases and how to resolve them.