monday.com logo
monday logo
Learning Resources by monday.com
Help Center
Tutorials and how-to guides for using monday.com
Academy
Interactive courses and webinars that will make you an expert
What’s new
Latest feature releases, improvements, and updates
Video Tutorials
Manage and collaborate on
team projects and tasks from
one place
API Documentation
Technical documentation that gives you the control
Get expert help
Hire a monday.com expert to optimize your workflows
Community
Become part of our community
Community forum
Learn with fellow monday.com enthusiasts
Local facebook communities
Join this community to find monday.com members near you
Global facebook communities
Join one of your most active social communities - the global monday group
Developer community
Share thoughts and questions with like-minded professionals who speak your language
Non Profit community
Give back to the community by working with a NGO or non-profit. Join our exclusive program
Support
Contact sales
Get started
What can we help you with?
  1. Support
  2. Profile and Admin
  3. The Admin Section
SAML Single Sign-on
    Was this article helpful?

    SAML Single Sign-on

    5 min read
    Feature

     

    Security Assertion Markup Language (SAML) gives users secure access to monday.com (SP) through an identity provider (IDP) of your choice. It works by transferring the user’s identity from one place (the identity provider) to another (monday.com). Enabling SAML through monday.com can be done in few easy steps!

    Note: SAML SSO is available to Enterprise plans only. Google Single Sign-On is available on Pro and Enterprise plans. To learn more about Google Single Sign-On, click here

     

    Configure your identity provider

    Before setting up SAML SSO within monday.com, it is essential to first set up a connection for monday.com SSO -also known as a connector- with your IDP. We are currently working with three main providers: OKTA, Entra ID (previously known as Azure AD), and OneLogin, but you also have the option to use your own provider. 

    • To enable SAML using OKTA please click here
    • To enable SAML using OneLogin, please click here
    • Entra ID (previously known as Azure AD), please click here
    • To enable SAML using custom SAML 2.0, please click here.
    Note: It is currently not possible to connect multiple identity providers to one monday.com account. However, multiple monday.com accounts can be connected to one identity provider.

     

    Now that you've completed this step, it is time to enter your monday.com account to continue setting up SAML SSO! Follow the steps below to proceed. ⬇️

     

    Step 1: Set up SAML SSO for monday.com

    Once you've configured your identity provider, you just need to enable SAML into monday.com. To do so, click your profile picture on the top right corner of your screen, and select "Administration".

    CPT2305311704-1324x735.gif

     

    Once you are in the admin section, select the "Security" section on the left side. then, click on "Single Sign-On (SSO)" listed inside the Login tab. We will use OKTA in our example, but you can select any of the other options.

    CPT2312171124-1269x717.gif

     

    Select your IDP from the list:

    Group 1 - 2023-12-17T112643.741.png

    Note: SAML SSO Url and Identity provider issuer fields formats are slightly different in each IDP. Selecting an IDP from the list will give you a hint of what is the expected value format for these fields within the IDP.
    Your IDP doesn't appear on the list? No worries! Just select the Custom SAML 2.0 option and grab the SAML SSO Url and Identity provider issuer fields from your IDP.

     

    Fill in the details from your IDP

    Fill in the following fields by data from your IDP:

    • SAML SSO Url
    • Identity provider issuer
    • Public certificate

    image 1 - 2023-12-17T113124.855.png

    Note: If your organization is hoping to send encrypted SAML responses, select "Enable Monday Certificate". This will provide you the public encryption certificate to input into the IDP that ensures monday.com will be able to decrypt the SAML response.

     

    Step 2: Test your SSO connection

    Once you've filled out all of the necessary details for your SSO provider, it is time to test your connection! Do note, this step is mandatory in order to proceed with enabling SAML on your account, or before making any other changes. 

    All you have to do is click on "Test SSO connection" as shown below:

    Group 1 - 2023-12-17T132300.283.png

     

    Step 3: Select restrictions and password policy

    When setting up SSO, the admin will need to select the login restrictions policy level, meaning they will need to define who must use SSO authentication to log in, or if it is optional.

    Important note: During initial SSO configuration, we advise making SSO optional (the third option) to have the ability to log in with the password in the event of any errors. Once the configuration is done successfully, the selection can then be updated.

    image 1 - 2023-12-17T132534.563.png

    There are three options in this section:

    • Option 1: All users (including guests) must use SSO authentication to log in to monday.com. This option means that all users should be given access to monday.com from within the identity provider in order for them to be able to log in.
    • Option 2: All users, except for guests, must use SSO authentication to log in to monday.com. Guests, on the other hand, will be able to use an email and password to log in instead.
      • This is the most commonly used policy option since often times guests are external users and not managed by the internal IT of an organization.
    • Option 3: Using SSO authentication is optional for everyone. All users and guests can log in either through SSO or email and password.

    If applicable to your company security policy, we recommend using the "All users except guests must use SAML authentication" restriction option. Meaning, every user on the account, aside from guests, is required to log in using SSO. Guests can be invited to shareable boards and log in using an email and password as normal. In this case, guest emails do not need to be active in the account's IDP to be able to log in.

     

    Step 4: Activate SSO provider

    After successfully following steps 1-3 as listed above, it is time to activate your SSO provider! All you have to do now is click on the "Activate" button and then all monday.com users will get an email explaining how to sign in using the selected SSO provider and you're good to go! 🙌

     

    Provisioning

    By default monday.com uses Just In Time provisioning, meaning that the user is created in monday.com upon first login if he does not exist.

    If you wish to enable SCIM provisioning, please generate the token, and follow your IDP instructions to enable this. Monday.com supports IDP Initiated Flow or SP Initiated Flow. We have an official  monday.com application in the Okta Application catalog. To enable, please click here.

    In addition, we have an official monday.com application in the OneLogin Application catalog. To enable, please click here.

    Lastly, we have an official monday.com application in the Entra ID Application catalog. To enable, please click here.

     

    Note: SCIM Provisioning is available to Enterprise plan only.

     

    What will happen once your SSO is enabled?

    When you've finished setting up your SSO, each member will receive an email letting them know about the change (also if SSO Restriction Policy is set to optional).


    Here is an example of the email:

    mceclip3_1.png

     

    The email will prompt members to connect their monday.com accounts with your identity provider. From now on, all members can sign in to monday.com with their identity provider account.

     

    Common errors after signing into your SSO provider

    Some users might experience difficulties and not be able to use SSO. For example, after entering the credential of the user into the login page of the SSO provider, instead of being redirected back to monday.com page, the user gets an error message saying that the signed in user 'username@email.com' is not assigned to a role for the application (the wording might be slightly different depending on the SSO provider). This means that the Admins of the account should go into the SSO provider your team is using and assign/add this user to the monday.com account. 

    Another common issue happens when a user changes their email address which leads to an error when they attempt to log in. We'll go over all about this in the following section!

     

    What happens when a user's email address changes?

    When a user logs into monday.com using SSO, a back-end connection is made between the identity provider (IDP) and the User ID in monday.com. The connection, called a UID (user ID), connects the identity of an individual in the IDP (their name, email address) to the email address associated with the user in monday.com.

    Therefore, if a user changes their email address, they will not be able to log into monday.com any longer until their UID (user ID) is reset. The reason for this is that the UID is connected to the user's previous email address, and when the email is being updated, it will not be automatically connected to the existing UID. Therefore, resetting the UID will allow for the "breaking" of the previous connection and create a new link between the UID and the newly changed email address.

     

    Steps to take when a user's email changes

    If a user's email address changes, follow the two steps below and they should be able to log-in to the account again in no time. ⬇️

     

    1. Change the user's email on the IDP and within monday.com

    First and foremost, it is important that the user's email address gets changed on the identity provider's end as well as on monday.com. In order to change their email address in monday.com, the relevant user can follow the steps in this article. 

    Note: When an admin changes a user's email address, the user will then need to confirm their new email address.

     

    2. Resetting the user's UID 

    Once a user's email has been changed on the IDP and from within monday.com, it is time to reset their UID! To do so, enter into the user management tab of the admin section of the account. From there, locate the user who changed their email address, press on the three-dot menu to the far right, and select "Reset SSO UID" as so:

    Group_35__21_.png

    Once this has been pressed, the user should then be able to log into their monday.com account using their new email address successfully!

     

    Editing email domains of multiple users at once

    As an admin, you can batch update the email domain only of multiple users at once and have the SSO UID of these users instantly reset as well. To do this, start by entering the user management section of your account. Then, select the relevant users by ticking the box to the left of their icons, and click on "Change email domain" in the bottom pane. 

    Group_1__68_.png

    Next, enter the new email domain and click on "Change email domain". Along with the email domain update, the SSO UID will also be reset for these users.

    Then, as soon as the selected users confirm the change of their current email address, you'll be all set!

    CPT2208101621-1391x720.gif

    Note: Performing this action does not change the prefix of the emails (whatever comes before the @).

     

     

     

    If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.

    Yael - Quality check

    Comments