Security Assertion Markup Language (SAML) provides your team with secure access to monday.com (SP) through the identity provider (IdP) of your choice. It works by transferring a team member’s identity from one place, your identity provider, to another, monday.com. You can enable SAML in monday.com in just a few steps.

Note: SAML SSO is available on Enterprise plan only. Google Single Sign-On is available on Pro and Enterprise plans. To learn more about Google Single Sign-On, see here. 

Configure your identity provider

Before setting up SAML SSO in monday.com, you must first set up a monday.com SSO connection, also known as a connector, with your identity provider. monday.com currently supports three main providers: Okta, Entra ID (formerly Azure AD), and OneLogin. You can also use a custom provider.

• To enable SAML with Okta,  see the relevant article. 
• To enable SAML using OneLogin,  see the relevant article. 
• Entra ID (previously Azure AD),  see the relevant article. 
• To enable SAML using custom SAML 2.0,  see the relevant article.

Note: By default, you can connect one identity provider to a monday.com account. If your account has the Enterprise Guardian add-on, you can configure multiple SSO vendors within the same account. Multiple monday.com accounts can also be connected to one identity provider.

Now that you've completed this step, you can log in to your monday.com account to continue setting up SAML SSO. Follow the steps below to proceed.

Set up SAML SSO for monday.com

Once you've configured your identity provider, you just need to enable SAML on monday.com. To do so, click your profile picture in the top-right corner of your screen, then select Administration.

Once you are in the admin section, select the Security section on the left side. Click Single Sign-On (SSO) in the Authentication policies tab. Then click Add SSO policy. We will use Okta in our example, but you can select any other option.

Select your identity provider from the list:

Note: The SAML SSO URL and Identity provider issuer field formats are slightly different in each identity provider. Selecting an identity provider from the list will show you the expected value format for these fields. If your identity provider does not appear on the list, select Custom SAML 2.0 and copy the SAML SSO URL and Identity provider issuer values from your identity provider.

Fill in the following fields with data from your identity provider:

• SAML SSO URL
• Identity provider issuer
• Public certificate

Note: If your organization is hoping to send encrypted SAML responses, select Enable Monday Certificate. This will provide you with the public encryption certificate to enter into the IDP, which ensures monday.com can decrypt the SAML response.

Test your SSO connection

Once you've filled out all of the necessary details for your SSO provider, it is time to test your connection. This step is mandatory before enabling SAML on your account or before making any other changes. Click Test SSO connection.

Activate SSO provider

After you follow the steps above, it is time to activate your SSO provider. Click Add SSO provider, and then all monday.com team members will get an email explaining how to sign in using the selected SSO provider.

Adjust email and password policy

Admins have greater flexibility in managing login policies, including the ability to customize the email and password policies. This setting makes it easy to exclude specific team members from the SSO requirement, offering a flexible solution to adapt login preferences to your team’s unique needs.

When clicking the three dots next to the Email and password section and selecting Edit, the admin can select policy members to define who the email and password policy applies to—everyone or only some people (e.g., guests, a single user).

Before activating SSO, the email and password policy cannot be modified. By default, after SSO is activated, the email and password policy changes from Everyone to Guests.

There are two options in the email and password policy section:

Option 1: All users (including guests) can log in to monday.com using the email and password policy.

Option 2: Only some people (guests, single user, or both) can use the email and password policy to log in to monday.com.

Choosing Guests under Only some people would allow guests to log in using the email and password policy (not only SSO). This is the most commonly used policy option, as guests are often external users not managed by an organization's internal IT.

Choosing A single user under Only some people would mean that only one chosen team member can log in using the email and password option (not only SSO).

Note: This break-glass access can be used if, for example, there is an issue with your SSO provider and you need access to the platform to perform settings changes.

If applicable to your company’s security policy, we recommend using the Guests or Guests and a single user options under the Only some people policy members. This means that every user on the account, aside from guests and the designated single user, must log in via SSO. Guests can be invited to shareable boards and log in using an email and password as normal. In this case, guest emails do not need to be active in the account's IDP to log in. The single-user option provides additional flexibility, allowing one team member to log in with an email address and password for emergency access if needed.

Provisioning

By default, monday.com uses Just In Time provisioning, meaning that a user is created in monday.com upon first login if they do not exist.

If you'd like to enable SCIM provisioning, please generate the token and follow your IDP instructions to enable this. monday.com supports IDP-initiated flow or SP-Initiated Flow. We have an official monday.com application in the Okta Application catalog. To enable, see the relevant article.

In addition, we have an official monday.com application in the OneLogin Application catalog. To enable it,  see the relevant article.

Lastly, we have an official monday.com application in the Entra ID Application catalog. To enable it,  see the relevant article.

Note: SCIM Provisioning is available on Enterprise plans only.

What will happen once your SSO is enabled?

Once SSO is enabled in the account, every admin will receive an email notifying them that SSO has been activated.
Here is an example of the email:

Common errors after signing into your SSO provider

Some team members may experience difficulties using SSO. For example, after entering their credentials into the login page of the SSO provider, instead of being redirected back to the monday.com page, the team member may see an error message saying that the signed-in user 'username@email.com' is not assigned to a role for the application (the wording might be slightly different depending on the SSO provider). This means that the account admins should log in to the SSO provider your team uses and add this user to the monday.com account. 

Another common issue occurs when a user changes their email address, leading to an error when they attempt to log in. We'll go over that in the following section.

What happens when a user's email address changes?

When a user logs in to monday.com via SSO, a back-end connection is established between the identity provider (IDP) and the User ID in monday.com. The connection, called a UID (user ID), links an individual's identity in the IDP (their name and email address) to the email address associated with the user in monday.com.

Therefore, if a user changes their email address, they will not be able to log in to monday.com until their UID (user ID) is reset. The reason is that the UID is linked to the user's previous email address, and when the email is updated, it will not be automatically linked to the existing UID. Therefore, resetting the UID will allow for the "breaking" of the previous connection and create a new link between the UID and the newly changed email address.

Steps to take when a user's email changes

If a user's email address changes, follow the two steps below, and they should be able to log-in to the account again.

   1Change the user's email in the identity provider and in monday.com   

It is important that the user's email address be changed on the identity provider's end and on monday.com. To change their email address on monday.com, the relevant user can follow the steps outlined in this article. 

Note: When an admin changes a user's email address, the user will then need to confirm their new email address.

   2 Resetting the user's UID    

Once a user's email has been updated in the IDP and on monday.com, it is time to reset their UID. To do so, enter the user management tab of the admin section of the account. From there, locate the user who changed their email address, click the three-dot menu on the left of their name, and select Reset SSO UID:

Once this has been selected, the user should be able to successfully log in to their monday.com account using their new email address.

Editing email domains of multiple users at once

As an admin, you can batch update the email domain for multiple users at once and have their SSO UIDs reset instantly. 

To do this, start by entering the user management section of your account. Then, select the relevant users by ticking the box to the left of their icons, and click on Change email domain in the bottom pane. Next, enter the new email domain, then click Change email domain. Along with the email domain update, the SSO UID will also be reset for these users.

Once the selected users confirm their current email address change, you'll be all set.

Note:Performing this action does not change the prefix of the emails (whatever comes before the @).