If you haven't read our first article about SAML, we recommend you to check out this article right here prior to reading this one.
We are currently working with four main SAML providers: OKTA, OneLogin, Azure AD, and Oracle, but we also offer you the option to custom SAML 2.0 with the provider of your choice. Here is how!
Get the data
You have two options to get the data in order to set up your custom SAML SSO.
- SP (monday.com) metadata:
You can get the metadata of monday.com from this URL:
https://<YOUR_DOMAIN>.monday.com/saml/saml_metadata
- Assertion Consumer Service URL
SSO post-back up URL - https://<YOUR_DOMAIN>.monday.com/saml/saml_callback (Also known as the Assertion Consumer Service URL)
Entity ID - https://<YOUR_DOMAIN>.monday.com/saml/saml_callback
Attributes to be included in IDP response
- NameID (Required)
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="YOURDOMAIN.monday.com" SPNameQualifier="https://monday.com">Your
Unique Identifier</saml:NameID>
</saml:Subject>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"
NameQualifier="YOURDOMAIN.monday.com" SPNameQualifier="https://monday.com">Your
Unique Identifier</saml:NameID>
</saml:Subject>
- Email Attribute (Required)
<saml:Attribute Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com
</saml:AttributeValue>
</saml:Attribute>
- First Name Attribute (Required)
<saml:Attribute Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">FirstName
</saml:AttributeValue>
</saml:Attribute>
- Last Name Attribute (Required)
<saml:Attribute Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">LastName
</saml:AttributeValue>
</saml:Attribute>
Certificates
monday.com requires that the SAML response is signed, and you will need to paste a valid X.509.pem Certificate to verify your identity. This is different from your SSL certificate.
When configuring your SAML settings, you will see a check box to "Enable Monday Certificate". This is used for encrypting SAML assertions sent from the identity provider (IDP) to monday.com.
To enable this, copy the certificate and paste it into your SSO provider console.
If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.
Comments