It is finally possible to set up SAML SSO with monday.com! This article explains you all the steps to process. 3, 2, 1.. go!
What is SAML?
Security Assertion Markup Language (SAML) gives users access to monday.com (SP) through an identity provider (IDP) of your choice. It works by transferring the user’s identity from one place (the identity provider) to another (monday.com). Enabling SAML through monday.com can be done in few easy steps!
Step 1: Configure your identity provider
The first step here is to set up a connection for monday.com SSO -also known as a connector- with your IDP. We are currently working with three main providers: OKTA, Azure AD, and OneLogin, but you also have the option to use your own provider.
- To enable SAML using OKTA please click here.
- To enable SAML using OneLogin, please click here.
- To enable SAML using Azure AD, please click here.
- To enable SAML using custom SAML 2.0, please click here.
Step 2: Set up SAML SSO for monday.com
Once you've configured your identity provider, you just need to enable SAML into monday.com. To do so, click your profile picture, and select "Admin".
Once you are in the Admin section, select the "Security" section on the left side. then, click on "Single Sign-On (SSO)" listed inside the Login tab. We will use OKTA in our example, but you can select any of the other options.
Select your IDP from the list:
Fill in the details from your IDP
Fill in the following fields by data from your IDP:
- SAML SSO Url
- Identity provider issuer
- Public certificate
Select Restrictions Policy
While the recommended selection is to require SAML except for guests, we do advise making SAML optional during initial configuration to avoid being locked out of the account in the event of any errors. Once the configuration is done successfully, the selection can be updated.
Step 3: Provisioning
By default monday.com uses Just In Time provisioning, meaning that the user is created in monday.com upon first login if he does not exist.
If you wish to enable SCIM provisioning, please generate the token, and follow your IDP instructions to enable this. Monday.com supports IDP Initiated Flow or SP Initiated Flow. We have an official monday.com application in the Okta Application catalog. To enable, please click here.
In addition, we have an official monday.com application in the OneLogin Application catalog. To enable, please click here.
What will happen once your SSO is enabled?
When you've finished setting up your SSO, each member will receive an email letting them know about the change (also if SAML Authentication is set to optional).
The email will prompt members to connect their monday.com accounts with your identity provider. From now on, all members can sign in to monday.com with their identity provider account.
Common errors after signing into your SSO provider
Some users might experience difficulties and not be able to use SSO. For example, after entering the credential of the user into the login page of the SSO provider, instead of being redirected back to monday.com page, the user gets an error message saying that the signed in user 'firstname.lastname@example.org' is not assigned to a role for the application (the wording might be slightly different depending on the SSO provider). This means that the Admins of the account should go into the SSO provider your team is using and assign/add this user to the monday.com account.
If you have any further questions about setting up SSO with monday.com, feel free to reach out to our Customer Success Team anytime right here.