Security Assertion Markup Language (SAML) gives users secure access to monday.com (SP) through an identity provider (IDP) of your choice. It works by transferring the user’s identity from one place (the identity provider) to another (monday.com). Enabling SAML through monday.com can be done in few easy steps!
Step 1: Configure your identity provider
The first step here is to set up a connection for monday.com SSO -also known as a connector- with your IDP. We are currently working with three main providers: OKTA, Azure AD, and OneLogin, but you also have the option to use your own provider.
- To enable SAML using OKTA please click here.
- To enable SAML using OneLogin, please click here.
- To enable SAML using Azure AD, please click here.
- To enable SAML using custom SAML 2.0, please click here.
Step 2: Set up SAML SSO for monday.com
Once you've configured your identity provider, you just need to enable SAML into monday.com. To do so, click your profile picture, and select "Admin".
Once you are in the Admin section, select the "Security" section on the left side. then, click on "Single Sign-On (SSO)" listed inside the Login tab. We will use OKTA in our example, but you can select any of the other options.
Select your IDP from the list:
Fill in the details from your IDP
Fill in the following fields by data from your IDP:
- SAML SSO Url
- Identity provider issuer
- Public certificate
When setting up SSO, the admin will need to select the login restrictions policy level, meaning they will need to define who must use SSO authentication to log in, or if it is optional.
There are three options in this section:
- Option 1: All users (including guests) must use SSO authentication to log in to monday.com. This option means that all users should be given access to monday.com from within the identity provider in order for them to be able to log in.
- Option 2: All users, except for guests, must use SSO authentication to log in to monday.com. Guests, on the other hand, will be able to use an email and password to log in instead.
- This is the most commonly used policy option since often times guests are external users and not managed by the internal IT of an organization.
- Option 3: Using SSO authentication is optional for everyone. All users and guests can log in either through SSO or email and password.
If applicable to your company security policy, we recommend using the "All users except guests must use SAML authentication" restriction option. Meaning, every user on the account, aside from guests, is required to log in using SSO. Guests can be invited to shareable boards and log in using an email and password as normal. In this case, guest emails do not need to be active in the account's IDP to be able to log in.
Step 3: Provisioning
By default monday.com uses Just In Time provisioning, meaning that the user is created in monday.com upon first login if he does not exist.
If you wish to enable SCIM provisioning, please generate the token, and follow your IDP instructions to enable this. Monday.com supports IDP Initiated Flow or SP Initiated Flow. We have an official monday.com application in the Okta Application catalog. To enable, please click here.
In addition, we have an official monday.com application in the OneLogin Application catalog. To enable, please click here.
Lastly, we have an official monday.com application in the Azure AD Application catalog. To enable, please click here.
What will happen once your SSO is enabled?
When you've finished setting up your SSO, each member will receive an email letting them know about the change (also if SSO Restriction Policy is set to optional).
Here is an example of the email:
The email will prompt members to connect their monday.com accounts with your identity provider. From now on, all members can sign in to monday.com with their identity provider account.
Common errors after signing into your SSO provider
Some users might experience difficulties and not be able to use SSO. For example, after entering the credential of the user into the login page of the SSO provider, instead of being redirected back to monday.com page, the user gets an error message saying that the signed in user 'firstname.lastname@example.org' is not assigned to a role for the application (the wording might be slightly different depending on the SSO provider). This means that the Admins of the account should go into the SSO provider your team is using and assign/add this user to the monday.com account.
Another common issue happens when a user changes their email address which leads to an error when they attempt to log in. We'll go over all about this in the following section!
What happens when a user's email address changes?
When a user logs into monday.com using SSO, a back-end connection is made between the identity provider (IDP) and the User ID in monday.com. The connection, called a UID (user ID), connects the identity of an individual in the IDP (their name, email address) to the email address associated with the user in monday.com.
Therefore, if a user changes their email address, they will not be able to log into monday.com any longer until their UID (user ID) is reset. The reason for this is that the UID is connected to the user's previous email address, and when the email is being updated, it will not be automatically connected to the existing UID. Therefore, resetting the UID will allow for the "breaking" of the previous connection and create a new link between the UID and the newly changed email address.
Steps to take when a user's email changes
If a user's email address changes, follow the two steps below and they should be able to log-in to the account again in no time. ⬇️
1. Change the user's email on the IDP and within monday.com
First and foremost, it is important that the user's email address gets changed on the identity provider's end as well as on monday.com. In order to change their email address in monday.com, the relevant user can follow the steps in this article.
2. Resetting the user's UID
Once a user's email has been changed on the IDP and from within monday.com, it is time to reset their UID! To do so, enter into the user management tab of the admin section of the account. From there, locate the user who changed their email address, press on the three-dot menu to the far right, and select "Reset SSO UID" as so:
Once this has been pressed, the user should then be able to log into their monday.com account using their new email address successfully!
As an admin, you can batch update the email domain only of multiple users at once and have the SSO UID of these users instantly reset as well. To do this, start by entering the user management section of your account. Then, select the relevant users by ticking the box to the left of their icons, and click on "Change email domain" in the bottom pane.
Next, enter the new email domain and click on "Change email domain". Along with the email domain update, the SSO UID will also be reset for these users.
Then, as soon as the selected users confirm the change of their current email address, you'll be all set!
If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.