What can we help you with?

SAML Single Sign-on

It is finally possible to set up SAML SSO with monday.com! This article explains you all the steps to process. 3, 2, 1.. go!

 

What is SAML? 

Security Assertion Markup Language (SAML) gives users access to monday.com (SP) through an identity provider (IDP) of your choice. It works by transferring the user’s identity from one place (the identity provider) to another (monday.com). Enabling SAML through monday.com can be done in few easy steps! 

Step 1: Configure your identity provider

The first step here is to set up a connection for monday.com SSO -also known as a connector- with your IDP. We are currently working with three main providers: OKTA, Azure AD, and OneLogin, but you also have the option to use your own provider. 

  • To enable SAML using OKTA please click here
  • To enable SAML using OneLogin, please click here
  • To enable SAML using Azure AD, please click here
  • To enable SAML using custom SAML 2.0, please click here.

Step 2: Set up SAML SSO for monday.com

Once you've configured your identity provider, you just need to enable SAML into monday.com

To do so, click your profile picture, and select "Admin".

Frame_1_-_2020-10-11T173453.217.png

Once you are in the Admin section, select the "Security" section on the left side. You will then see "SAML" listed inside the Login tab. Make sure to press "Open", as shown below:

Frame_1_-_2020-10-11T165039.719.png

Select your IDP from the list

mceclip0.png

 

Note: SAML SSO Url and Identity provider issuer fields formats are slightly different in each IDP. Selecting an IDP from the list will give you a hint of what is the expected value format for these fields within the IDP.
Your IDP doesn't appear on the list? No worries! Just select the Custom SAML 2.0 option and grab the SAML SSO Url and Identity provider issuer fields from your IDP.

 

Fill in the details from your IDP

Fill in the following fields by data from your IDP:

  • SAML SSO Url
  • Identity provider issuer
  • Public certificate

 

image_25__3_.png

 

 

Note: If your organization is hoping to send encrypted SAML responses, select "Enable Monday Certificate". This will provide you the public encryption certificate to input into the IDP that ensures monday.com will be able to decrypt the SAML response.

 

Select Restrictions Policy

While the recommended selection is to require SAML except for guests, we do advise making SAML optional during initial configuration to avoid being locked out of the account in the event of any errors. Once the configuration is done successfully, the selection can be updated.

 

mceclip0.png

 

Note: if applicable to your company security policy, we recommend using the "All users except guests must use SAML authentication" restriction option. Meaning, every user on the account, aside from guests, is required to log in using SSO. Guests can be invited to shareable boards and log in using an email and password as normal. In this case, guest emails do not need to be active in the account's IDP to be able to log in.


Step 3: Provisioning

By default monday.com uses Just In Time provisioning, meaning that the user is created in monday.com upon first login if he does not exist.

 

If you wish to enable SCIM provisioning, please generate the token, and follow your IDP instructions to enable this. Monday.com supports IDP Initiated Flow or SP Initiated Flow.

 

We have an official monday.com application in the Okta Application catalog. To enable, please click here.

In addition, we have an official monday.com application in the OneLogin Application catalog. To enable, please click here.

 

Note: SCIM Provisioning is available to Enterprise plan only.

 

What will happen once your SSO is enabled?

When you've finished setting up your SSO, each member will receive an email letting them know about the change (also if SAML Authentication is set to optional).

The email will prompt members to connect their monday.com accounts with your identity provider. From now on, all members can sign in to monday.com with their identity provider account.

 

Common errors after signing into your SSO provider

Some users might experience difficulties and not be able to use SSO. For example, after entering the credential of the user into the login page of the SSO provider, instead of being redirected back to monday.com page, the user gets an error message saying that the signed in user '[email protected]' is not assigned to a role for the application (the wording might be slightly different depending on the SSO provider). This means that the Admins of the account should go into the SSO provider your team is using and assign/add this user to the monday.com account. 

 

 

 

If you have any further questions about setting up SSO with monday.com, feel free to reach out to our Customer Success Team anytime right here