Custom SAML 2.0/ADFS

If you haven't read our first article about SAML, we recommend you to check out this article right here prior reading this one. 

We are currently working with two main SAML providers: OKTA and OneLogin but we also offer you the option to custom SAML 2.0 with the provider of your choice. Here is how!

 

Step 1: Get the data

You have two options to get the data in order to set up your custom SAML SSO.

  • SP (monday.com) metadata:

You can get the metadata of monday.com from this URL: https://<YOUR_DOMAIN>.monday.com/saml/saml_metadata

  • Assertion Consumer Service URL

SSO post-back up URL - https://<YOUR_DOMAIN>.monday.com/saml/saml_callback (Also known as the Assertion Consumer Service URL)

Entity ID - https://<YOUR_DOMAIN>.monday.com/saml/saml_callback

 

Step 2: Attributes to be included in IDP response

  • NameID (Required)

<saml:Subject>

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="YOURDOMAIN.monday.com" SPNameQualifier="https://monday.com">Your Unique Identifier</saml:NameID>

</saml:Subject>

  • Email Attribute (Required)

<saml:Attribute Name="User.Email"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com

</saml:AttributeValue>

</saml:Attribute>

  • Username Attribute (Required)

<saml:Attribute Name="User.Username"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:anyType">UserName

</saml:AttributeValue>

</saml:Attribute>

  • First Name Attribute (Required)

<saml:Attribute Name="first_name"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:anyType">FirstName

</saml:AttributeValue>

</saml:Attribute>

  • Last Name Attribute (Required)

 <saml:Attribute Name="last_name"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:anyType">LastName

</saml:AttributeValue>

</saml:Attribute>

 

Step 3: Certificates

monday.com requires that the SAML response is signed, and you will need to paste a valid X.509.pem Certificate to verify your identity. This is different from your SSL certificate.  

 

Step 4: Provisioning

By default monday.com uses just in time provisioning, meaning the user is create in monday.com upon first login if he does not exist

If you wish to enable full provisioning, please generate the token, and follow your IDP instructions to enable this.

Monday.com supports IDP Initiated Flow or SP Initiated Flow

Screen_Shot_2018-03-13_at_15.03.54.png

Fig1. - SAML token generator.

 

If you have any further questions about setting up SSO with monday.com, feel free to reach out to our customer success team anytime right here

 

 

 

 

 

 

Was this article helpful?
0 out of 2 found this helpful

Comments