What can we help you with?

SAML Single Sign-on

Security Assertion Markup Language (SAML) gives users secure access to monday.com (SP) through an identity provider (IDP) of your choice. It works by transferring the user’s identity from one place (the identity provider) to another (monday.com). Enabling SAML through monday.com can be done in few easy steps!

Note: SAML SSO is available to Enterprise plans only.  Google Single Sign-On is available on Pro and Enterprise plans. To learn more about Google Single Sign-On, click here. 

 

Step 1: Configure your identity provider

The first step here is to set up a connection for monday.com SSO -also known as a connector- with your IDP. We are currently working with three main providers: OKTA, Azure AD, and OneLogin, but you also have the option to use your own provider. 

  • To enable SAML using OKTA please click here
  • To enable SAML using OneLogin, please click here
  • To enable SAML using Azure AD, please click here
  • To enable SAML using custom SAML 2.0, please click here.

Step 2: Set up SAML SSO for monday.com

Once you've configured your identity provider, you just need to enable SAML into monday.com. To do so, click your profile picture, and select "Admin".

Frame_1_-_2021-02-24T101609.492.png

Once you are in the Admin section, select the "Security" section on the left side. then, click on "Single Sign-On (SSO)" listed inside the Login tab. We will use OKTA in our example, but you can select any of the other options.

image_1__56_.png

 

Select your IDP from the list:

image_1__57_.png

Note: SAML SSO Url and Identity provider issuer fields formats are slightly different in each IDP. Selecting an IDP from the list will give you a hint of what is the expected value format for these fields within the IDP.
Your IDP doesn't appear on the list? No worries! Just select the Custom SAML 2.0 option and grab the SAML SSO Url and Identity provider issuer fields from your IDP.

 

Fill in the details from your IDP

Fill in the following fields by data from your IDP:

  • SAML SSO Url
  • Identity provider issuer
  • Public certificate

Frame_1_-_2021-02-24T101048.901.png

Note: If your organization is hoping to send encrypted SAML responses, select "Enable Monday Certificate". This will provide you the public encryption certificate to input into the IDP that ensures monday.com will be able to decrypt the SAML response.

 

Select Restrictions Policy

When setting up SSO, the admin will need to select the login restrictions policy level, meaning they will need to define who must use SSO authentication to log in, or if it is optional.

Important note: During initial SSO configuration, we advise making SSO optional (the third option) to have the ability to log in with the password in the event of any errors. Once the configuration is done successfully, the selection can then be updated.

image_1__58_.png

There are three options in this section:

  • Option 1: All users (including guests) must use SSO authentication to log in to monday.com. This option means that all users should be given access to monday.com from within the identity provider in order for them to be able to log in.
  • Option 2: All users, except for guests, must use SSO authentication to log in to monday.com. Guests, on the other hand, will be able to use an email and password to log in instead.
    • This is the most commonly used policy option since often times guests are external users and not managed by the internal IT of an organization.
  • Option 3: Using SSO authentication is optional for everyone. All users and guests can log in either through SSO or email and password.

If applicable to your company security policy, we recommend using the "All users except guests must use SAML authentication" restriction option. Meaning, every user on the account, aside from guests, is required to log in using SSO. Guests can be invited to shareable boards and log in using an email and password as normal. In this case, guest emails do not need to be active in the account's IDP to be able to log in.

 

Step 3: Provisioning

By default monday.com uses Just In Time provisioning, meaning that the user is created in monday.com upon first login if he does not exist.

If you wish to enable SCIM provisioning, please generate the token, and follow your IDP instructions to enable this. Monday.com supports IDP Initiated Flow or SP Initiated Flow. We have an official  monday.com application in the Okta Application catalog. To enable, please click here.

In addition, we have an official monday.com application in the OneLogin Application catalog. To enable, please click here.

Lastly, we have an official monday.com application in the Azure AD Application catalog. To enable, please click here.

 

Note: SCIM Provisioning is available to Enterprise plan only.

 

What will happen once your SSO is enabled?

When you've finished setting up your SSO, each member will receive an email letting them know about the change (also if SSO Restriction Policy is set to optional).


Here is an example of the email:

mceclip3.png

 

The email will prompt members to connect their monday.com accounts with your identity provider. From now on, all members can sign in to monday.com with their identity provider account.

 

Common errors after signing into your SSO provider

Some users might experience difficulties and not be able to use SSO. For example, after entering the credential of the user into the login page of the SSO provider, instead of being redirected back to monday.com page, the user gets an error message saying that the signed in user 'username@email.com' is not assigned to a role for the application (the wording might be slightly different depending on the SSO provider). This means that the Admins of the account should go into the SSO provider your team is using and assign/add this user to the monday.com account. 

Another common issue happens when a user changes their email address which leads to an error when they attempt to log in. We'll go over all about this in the following section!

 

What happens when a user's email address changes?

When a user logs into monday.com using SSO, a back-end connection is made between the identity provider (IDP) and the User ID in monday.com. The connection, called a UID (user ID), connects the identity of an individual in the IDP (their name, email address) to the email address associated with the user in monday.com.

Therefore, if a user changes their email address, they will not be able to log into monday.com any longer until their UID (user ID) is reset. The reason for this is that the UID is connected to the user's previous email address, and when the email is being updated, it will not be automatically connected to the existing UID. Therefore, resetting the UID will allow for the "breaking" of the previous connection and create a new link between the UID and the newly changed email address.

 

Steps to take when a user's email changes

If a user's email address changes simply follow the two steps below and they should be able to log-in in no time ⬇️

 

1. Change the user's email on the IDP and within monday.com

First and foremost, it is important that the user's email address gets changed on the identity provider's end as well as on monday.com. In order to change their email address in monday.com, the relevant user can follow the steps in this article. 

Note: You cannot change someone else's email, even if you are an admin. Every user is only able to change their email themselves.

 

2. Resetting the user's UID 

Once a user's email has been changed on the IDP and from within monday.com, it is time to reset their UID! To do so, enter into the user management tab of the admin section of the account. From there, locate the user who changed their email address, press on the three-dot menu to the far right, and select "Reset SSO UID" as so:

Screen_Shot_2021-03-10_at_17.32_1.png

Once this has been pressed, the user should then be able to log into their monday.com account using their new email address successfully!

 

If you have any questions, please reach out to our team by using our contact form. We're available 24/7 and happy to help! 🙂