Security Assertion Markup Language (SAML) gives users secure access to monday.com (SP) through an identity provider (IDP) of your choice. It works by transferring the user’s identity from one place (the identity provider) to another (monday.com). Enabling SAML through monday.com can be done in few easy steps!
Configure your identity provider
Before setting up SAML SSO within monday.com, it is essential to first set up a connection for monday.com SSO -also known as a connector- with your IDP. We are currently working with three main providers: OKTA, Entra ID (previously known as Azure AD), and OneLogin, but you also have the option to use your own provider.
- To enable SAML using OKTA please click here.
- To enable SAML using OneLogin, please click here.
- Entra ID (previously known as Azure AD), please click here.
- To enable SAML using custom SAML 2.0, please click here.
Now that you've completed this step, it is time to enter your monday.com account to continue setting up SAML SSO! Follow the steps below to proceed. ⬇️
Step 1: Set up SAML SSO for monday.com
Once you've configured your identity provider, you just need to enable SAML into monday.com. To do so, click your profile picture on the top right corner of your screen, and select "Administration".
Once you are in the admin section, select the "Security" section on the left side. then, click on "Single Sign-On (SSO)" listed inside the Authentication policies tab. Then click on "Add SSO policy." We will use OKTA in our example, but you can select any of the other options.
Select your IDP from the list:
Your IDP doesn't appear on the list? No worries! Just select the Custom SAML 2.0 option and grab the SAML SSO Url and Identity provider issuer fields from your IDP.
Fill in the details from your IDP
Fill in the following fields by data from your IDP:
- SAML SSO Url
- Identity provider issuer
- Public certificate
Step 2: Test your SSO connection
Once you've filled out all of the necessary details for your SSO provider, it is time to test your connection! Do note, this step is mandatory in order to proceed with enabling SAML on your account, or before making any other changes.
All you have to do is click on "Test SSO connection" as shown below:
Step 3: Activate SSO provider
After successfully following the steps listed above, it is time to activate your SSO provider! Click on the "Add SSO Provider" button and then all monday.com users will get an email explaining how to sign in using the selected SSO provider! 🙌
Step 4: Adjust email and password policy
Admins have better flexibility in managing login policies with the ability to customize the email and password policy. This setting makes it easy to exclude specific users from the SSO requirement, offering a flexible solution to adapt login preferences to your team’s unique needs.
When clicking on the three dots next to the "Email and password" section and choosing "Edit", the admin can select the policy members, meaning they can define who the email and password policy applies to—everyone or only some people (e.g., guests, a single user).
Before activating SSO, the email and password policy cannot be modified. By default, after SSO is activated, the email and password policy changes from "Everyone" to "Guests."
There are two options in the email and password policy section:
Option 1: All users (including guests) can log in to monday.com using the email and password policy.
Option 2: Only some people (guests, single user, or both) can use the email and password policy to log in to monday.com.
Choosing "Guests" under "Only some people" would mean that guests can log in using the email and password policy (not only SSO). This is the most commonly used policy option since oftentimes guests are external users not managed by an organization's internal IT.
Choosing "A single user" under "Only some people" would mean that only one chosen team member can log in using the email and password option (not only SSO).
If applicable to your company’s security policy, we recommend using the "Guests" or "Guests and a single user" options under "Only some people" policy members. This means every user on the account, aside from guests and the designated single user, is required to log in using SSO. Guests can be invited to shareable boards and log in using an email and password as normal. In this case, guest emails do not need to be active in the account's IDP to log in. The single-user option provides additional flexibility, allowing one team member to log in using email and password for emergency access if needed.
Provisioning
By default monday.com uses Just In Time provisioning, meaning that the user is created in monday.com upon first login if he does not exist.
If you wish to enable SCIM provisioning, please generate the token, and follow your IDP instructions to enable this. Monday.com supports IDP Initiated Flow or SP Initiated Flow. We have an official monday.com application in the Okta Application catalog. To enable, please click here.
In addition, we have an official monday.com application in the OneLogin Application catalog. To enable, please click here.
Lastly, we have an official monday.com application in the Entra ID Application catalog. To enable, please click here.
What will happen once your SSO is enabled?
When you've finished setting up your SSO, each member will receive an email letting them know about the change (also if SSO Restriction Policy is set to optional).
Here is an example of the email:
The email will prompt members to connect their monday.com accounts with your identity provider. From now on, all members can sign in to monday.com with their identity provider account.
Common errors after signing into your SSO provider
Some users might experience difficulties and not be able to use SSO. For example, after entering the credential of the user into the login page of the SSO provider, instead of being redirected back to monday.com page, the user gets an error message saying that the signed in user 'username@email.com' is not assigned to a role for the application (the wording might be slightly different depending on the SSO provider). This means that the Admins of the account should go into the SSO provider your team is using and assign/add this user to the monday.com account.
Another common issue happens when a user changes their email address which leads to an error when they attempt to log in. We'll go over all about this in the following section!
What happens when a user's email address changes?
When a user logs into monday.com using SSO, a back-end connection is made between the identity provider (IDP) and the User ID in monday.com. The connection, called a UID (user ID), connects the identity of an individual in the IDP (their name, email address) to the email address associated with the user in monday.com.
Therefore, if a user changes their email address, they will not be able to log into monday.com any longer until their UID (user ID) is reset. The reason for this is that the UID is connected to the user's previous email address, and when the email is being updated, it will not be automatically connected to the existing UID. Therefore, resetting the UID will allow for the "breaking" of the previous connection and create a new link between the UID and the newly changed email address.
Steps to take when a user's email changes
If a user's email address changes, follow the two steps below and they should be able to log-in to the account again in no time. ⬇️
1. Change the user's email on the IDP and within monday.com
First and foremost, it is important that the user's email address gets changed on the identity provider's end as well as on monday.com. In order to change their email address in monday.com, the relevant user can follow the steps in this article.
Note: When an admin changes a user's email address, the user will then need to confirm their new email address.
2. Resetting the user's UID
Once a user's email has been changed on the IDP and from within monday.com, it is time to reset their UID! To do so, enter into the user management tab of the admin section of the account. From there, locate the user who changed their email address, press on the three-dot menu to the far right, and select "Reset SSO UID" as so:
Once this has been pressed, the user should then be able to log into their monday.com account using their new email address successfully!
Editing email domains of multiple users at once
As an admin, you can batch update the email domain only of multiple users at once and have the SSO UID of these users instantly reset as well. To do this, start by entering the user management section of your account. Then, select the relevant users by ticking the box to the left of their icons, and click on "Change email domain" in the bottom pane.
Next, enter the new email domain and click on "Change email domain". Along with the email domain update, the SSO UID will also be reset for these users.
Then, as soon as the selected users confirm the change of their current email address, you'll be all set!
Note: Performing this action does not change the prefix of the emails (whatever comes before the @).
If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.
Comments