Security Assertion Markup Language (SAML) gives users secure access to monday.com (SP) through an identity provider (IDP) of your choice. It works by transferring the user’s identity from one place (the identity provider) to another (monday.com). Enabling SAML through monday.com can be done in few easy steps!
Configure your identity provider
Before setting up SAML SSO within monday.com, it is essential to first set up a connection for monday.com SSO -also known as a connector- with your IDP. We are currently working with three main providers: OKTA, Entra ID (previously known as Azure AD), and OneLogin, but you also have the option to use your own provider.
- To enable SAML using OKTA please click here.
- To enable SAML using OneLogin, please click here.
- Entra ID (previously known as Azure AD), please click here.
- To enable SAML using custom SAML 2.0, please click here.
Now that you've completed this step, it is time to enter your monday.com account to continue setting up SAML SSO! Follow the steps below to proceed. ⬇️
Step 1: Set up SAML SSO for monday.com
Once you've configured your identity provider, you just need to enable SAML into monday.com. To do so, click your profile picture on the top right corner of your screen, and select "Administration".
Once you are in the admin section, select the "Security" section on the left side. then, click on "Single Sign-On (SSO)" listed inside the Authentication policies tab. Then click on "Add SSO policy." We will use OKTA in our example, but you can select any of the other options.
Select your IDP from the list:
Your IDP doesn't appear on the list? No worries! Just select the Custom SAML 2.0 option and grab the SAML SSO Url and Identity provider issuer fields from your IDP.
Fill in the details from your IDP
Fill in the following fields by data from your IDP:
- SAML SSO Url
- Identity provider issuer
- Public certificate
Step 2: Test your SSO connection
Once you've filled out all of the necessary details for your SSO provider, it is time to test your connection! Do note, this step is mandatory in order to proceed with enabling SAML on your account, or before making any other changes.
All you have to do is click on "Test SSO connection" as shown below:
Step 3: Select restrictions and password policy
When setting up SSO, the admin will need to select the login restrictions policy level, meaning they will need to define who must use SSO authentication to log in, or if it is optional.
There are three options in this section:
- Option 1: All users (including guests) must use SSO authentication to log in to monday.com. This option means that all users should be given access to monday.com from within the identity provider in order for them to be able to log in.
-
Option 2: All users, except for guests, must use SSO authentication to log in to monday.com. Guests, on the other hand, will be able to use an email and password to log in instead.
- This is the most commonly used policy option since often times guests are external users and not managed by the internal IT of an organization.
- Option 3: Using SSO authentication is optional for everyone. All users and guests can log in either through SSO or email and password.
If applicable to your company security policy, we recommend using the "All users except guests must use SAML authentication" restriction option. Meaning, every user on the account, aside from guests, is required to log in using SSO. Guests can be invited to shareable boards and log in using an email and password as normal. In this case, guest emails do not need to be active in the account's IDP to be able to log in.
Please note: the password configuration on the SSO screen is not only for guests. It is for all account members who log in through email and password, which includes members and viewers in the case that SSO is defined as optional.
Password policy changes only apply to new passwords and affects new users who are signing up or for existing users who changed their passwords.
Step 4: Activate SSO provider
After successfully following steps 1-3 as listed above, it is time to activate your SSO provider! All you have to do now is click on the "Add SSO Provider" button and then all monday.com users will get an email explaining how to sign in using the selected SSO provider and you're good to go! 🙌
Provisioning
By default monday.com uses Just In Time provisioning, meaning that the user is created in monday.com upon first login if he does not exist.
If you wish to enable SCIM provisioning, please generate the token, and follow your IDP instructions to enable this. Monday.com supports IDP Initiated Flow or SP Initiated Flow. We have an official monday.com application in the Okta Application catalog. To enable, please click here.
In addition, we have an official monday.com application in the OneLogin Application catalog. To enable, please click here.
Lastly, we have an official monday.com application in the Entra ID Application catalog. To enable, please click here.
What will happen once your SSO is enabled?
When you've finished setting up your SSO, each member will receive an email letting them know about the change (also if SSO Restriction Policy is set to optional).
Here is an example of the email:
The email will prompt members to connect their monday.com accounts with your identity provider. From now on, all members can sign in to monday.com with their identity provider account.
Common errors after signing into your SSO provider
Some users might experience difficulties and not be able to use SSO. For example, after entering the credential of the user into the login page of the SSO provider, instead of being redirected back to monday.com page, the user gets an error message saying that the signed in user 'username@email.com' is not assigned to a role for the application (the wording might be slightly different depending on the SSO provider). This means that the Admins of the account should go into the SSO provider your team is using and assign/add this user to the monday.com account.
Another common issue happens when a user changes their email address which leads to an error when they attempt to log in. We'll go over all about this in the following section!
What happens when a user's email address changes?
When a user logs into monday.com using SSO, a back-end connection is made between the identity provider (IDP) and the User ID in monday.com. The connection, called a UID (user ID), connects the identity of an individual in the IDP (their name, email address) to the email address associated with the user in monday.com.
Therefore, if a user changes their email address, they will not be able to log into monday.com any longer until their UID (user ID) is reset. The reason for this is that the UID is connected to the user's previous email address, and when the email is being updated, it will not be automatically connected to the existing UID. Therefore, resetting the UID will allow for the "breaking" of the previous connection and create a new link between the UID and the newly changed email address.
Steps to take when a user's email changes
If a user's email address changes, follow the two steps below and they should be able to log-in to the account again in no time. ⬇️
1. Change the user's email on the IDP and within monday.com
First and foremost, it is important that the user's email address gets changed on the identity provider's end as well as on monday.com. In order to change their email address in monday.com, the relevant user can follow the steps in this article.
Note: When an admin changes a user's email address, the user will then need to confirm their new email address.
2. Resetting the user's UID
Once a user's email has been changed on the IDP and from within monday.com, it is time to reset their UID! To do so, enter into the user management tab of the admin section of the account. From there, locate the user who changed their email address, press on the three-dot menu to the far right, and select "Reset SSO UID" as so:
Once this has been pressed, the user should then be able to log into their monday.com account using their new email address successfully!
Editing email domains of multiple users at once
As an admin, you can batch update the email domain only of multiple users at once and have the SSO UID of these users instantly reset as well. To do this, start by entering the user management section of your account. Then, select the relevant users by ticking the box to the left of their icons, and click on "Change email domain" in the bottom pane.
Next, enter the new email domain and click on "Change email domain". Along with the email domain update, the SSO UID will also be reset for these users.
Then, as soon as the selected users confirm the change of their current email address, you'll be all set!
Note: Performing this action does not change the prefix of the emails (whatever comes before the @).
If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.
Comments