Single Sign-On is only available in our Plus and Enterprise Network plans. Plus workspaces can be configured for SSO using the guide here.
As part of the Company Dashboard in the Enterprise Network plan, Company Administrators can set up their company's SSO integration with MURAL. The SSO section is only visible to new companies or companies with an internal SAML 2.0 SSO integration. For current OAuth or Auth0 integrations, the SSO section is not visible to customers, but can be accessed by MURAL's Enterprise Transformation Managers.
Self-serve SSO allows you to configure the service provider side of the integration without assistance from a MURAL representative.
As seen in the image above, Company Administrators can take the following actions to set up their SSO integration:
- Configure the service provider integration
- Test the authentication flow
- Apply the configuration to the whole company
Configure the Service Provider Integration
In order for the SSO Integration to function properly, the service provider and the identity provider (IDP) should be configured.
To configure the IDP, you can download MURAL’s metadata.xml file from the link located at the top of the SSO page. It's important that the following parameters are configured in the IDP:
last nameshould be configured as SAML attributes
To configure the service provider, you should complete the following parameters:
- Sign-in URL
- Sign-in certificate
- Request bindings
- Sign-in algorithm
- Audience validation
- Signed authentication request
- Claims/Attributes - The format of the attributes can be unspecified
There are two ways to configure it:
- Uploading the IDP metadata file
- Manually filling all the required fields
Uploading the IDP Metadata File
Most IDP vendors have the ability to generate a metadata file containing information about the IDP configuration. MURAL gives you the ability to upload that file to autocomplete all or some of the fields in the configuration. In order to do so, click on the "Upload XML file" button and select the metadata.xml file on your computer. Note: MURAL only supports .xml extensions for the metadata file.
Once the file is successfully uploaded, you will see the file name and a confirmation message. In addition, you will see all the configuration parameters autocompleted. The number of parameters autocompleted will depend on the information inside the metadata file. Note: If there are mandatory fields missing information, you will need to complete them manually.
The alternative to uploading a metadata file is to directly fill in the parameters in the integration form. Once all the mandatory fields are completed, the
Test Single Sign-On button will become enabled.
Configure IDP-Initiated Flow
By default, the SSO integration will support SP-initiated flow (when the authentication process begins in https://app.mural.co). However, MURAL also supports IDP-initiated flow for our SAML 2.0 integration. In order to configure IDP-initiated flow, it’s necessary to add a relay state in the IDP configuration. The relay state value is tied to each company and needs to be requested from a MURAL representative.
Testing the Authentication Flow
Once all the mandatory fields are completed, you will have the possibility of testing the SSO integration before making it available to your company.
After the Company Administrator clicks on the "Test Single Sign-On" button, a modal will appear showing a simulated login flow with the configured parameters. Remember, in order for the integration to work, the IDP should also be configured at this stage.
The first step of the flow is the IDP login, where the Company Administrator needs to authenticate the internal systems. If it’s correct, the next step will show a profile page with mapped information. It’s important to check that the Email, First name and Last name fields are correctly mapped. If not, the configuration will need to be changed in order to fix and re-test it.
If there is an authentication error in the testing flow, changes from the IDP or SP might also be needed to fix them. Once the flow is completed and the Company Administrator sees the profile page, the
Save Single Sign-On button is enabled.
Apply the Configuration to the Whole Company
The last step of the configuration process is to apply the new SSO integration flow to all company members. After the integration is configured from both sides (IDP & SP) and tested successfully, the
Save Single Sign-On button will become enabled. Once clicked, a confirmation modal will appear allowing the Company Administrator to confirm that SSO will be applied to all company members.
End-User Experience After Applying the Configuration
Implementing the new SSO integration will not produce any major changes in the end-user experience.
Current logged-in users won't be signed out. The next time they sign-in they will be redirected to the SSO Integration, instead of going through the previous mail and password flow.
New users, on the other hand, will auto-provision their accounts through the SSO process from either SP or IDP initiated flows.