All Collections
Mural for Enterprises
SSO (single sign-on)
Configure SSO with Mural
Configure SSO with Mural
Quickly, easily, and securely grant members access to Mural using SSO.
Brian Saladino avatar
Written by Brian Saladino
Updated over a week ago

To make it easy and secure for everyone in your organization to access Mural, you might choose to integrate Mural with your company’s SSO (single sign-on) solution. SSO allows your employees to authenticate into Mural using their company SSO credentials.

For more on identity and access management, see our identity and access management overview.

Configuring SSO with Azure AD and Okta:

This article walks you through a custom SSO configuration. If your organization uses Azure AD or Okta, we have dedicated apps and integrations to configure SSO. You can find more information here:

Contents

Pre-configuration

Before you start connecting Mural to your IdP, there are a couple of housekeeping items to take care of. First, you’ll need access to the Mural company dashboard. Then, you’ll download a report of all current Mural member accounts so you can ensure they maintain their access.

Confirm access to the company dashboard

To configure SSO, you’ll need access to the Mural company dashboard. If you don’t have access, please reach out to your Mural company admin. Your company admin can either assist with parts of this configuration or they can work with Mural Support to grant you a company admin role. If you don’t know who your company admin is, contact Mural Support for help.

Download Mural members report

To ensure all existing Mural members maintain their access once you enable SSO, it’s important to review their current account details.

First, download the Total Members report from the company dashboard. Here, you can view each member account and its associated email address. Review each account, ensuring its email address matches the email addresses used by your SSO IdP. If there are any discrepancies, reach out to Mural Support to make updates prior to SSO deployment. When reaching out, please provide:

  • A list of current Mural member accounts' email addresses and the email addresses they should be changed to.

  • SSO implementation date.

Note: Information from the Total Members report can help you establish security groups in your IdP, if applicable, so keep this report handy for future use.

Configuration

Download Mural’s metadata

Configuring SSO is an exchange of information between Mural and your IdP. We provide all the information you need from Mural in a metadata file. You can download the file here.

You can also download Mural’s metadata from the company dashboard:

  1. Click your name in the top right corner of Mural.

  2. Select Manage company.

  3. Click SSO in the left sidebar.

  4. Click Download MURAL’s metadata.


Configure SAML SSO in the IdP

With Mural’s metadata in hand, you can now configure your IdP. Each IdP requires different information and the steps to input that information also varies. Still, you’ll find everything you need in the metadata file you just downloaded. Below are key details you’ll need to configure in your IdP.

SAML configuration details:

  • Entity ID URL: https://app.mural.co

  • ACS (Assertion Consumer Service) URL: https://app.mural.co/api/v0/authenticate/saml2/callback

(Optional) IdP-initiated authentication:

Mural SSO supports SP-initiated authentication by default. This is when authentication begins with the SP (service provider, and in this case, Mural). That means authentication starts at http://app.mural.co. Mural can be configured for IdP-initiated authentication, where the authentication process begins with your IdP instead, by generating a relay state value and saving it in your IdP’s SAML settings.

To set up an IdP-initiated flow:

  • Retrieve your Mural company ID from your company dashboard URL. For example: https://app.mural.co/c/YourCompanyId/insights

  • Encode a relay state value by going to https://www.base64encode.org/ and entering the following string with your corresponding company ID. No other value in this string should be updated:

    {"login":true,"returnUrl":"/dashboard","wasVisitorBefore":false,"identityProviderName":"putYourCompanyIdHere"}

  • Save the encoded value in your IdP SAML setting’s Relay State field.

SAML claims:

Mural user accounts require a first name, last name, and email address to be successfully provisioned and authenticated. The email address is considered the user account’s unique identifier in Mural. In your IdP, you also need to configure specific SAML claims attributes for SSO to work properly with Mural. Here are the required attributes:

  • Name ID (must be formatted as an email address).

  • Email.

  • First Name.

  • Last Name.

If you need help at any point during this step, refer to your IdP’s documentation.

Provisioning with SSO

Mural user accounts are created via JIT (Just-In-Time) provisioning. This means a user’s account is created when they sign in for the first time. However, we recommend configuring automated SCIM provisioning alongside SSO if your IdP supports it. For more information, read our SCIM provisioning article.

Download IdP Metadata

Once you finish configuring your IdP, you should have the option of downloading a version of their metadata in an XML file. This serves the same purpose as the metadata you downloaded from Mural, except now you’re going to input the IdP’s information into Mural.

Remember, every IdP is different. So, if you need help downloading the IdP’s metadata, refer to their documentation. And once you have the metadata, move on to the next section.

Configure SAML SSO in Mural

With your IdP configured, you’re ready to return to Mural. You’ll use your IdP’s metadata to configure Mural as the service provider for SSO authentication. There are two elements to this configuration:

  • Uploading the IdP’s metadata.

  • Adding claim mapping.

Upload the IdP’s metadata

To upload your IdP’s metadata, you have two options. You can upload the entire metadata file (which is an XML file) or you can open the metadata yourself and input the needed details manually.

To configure Mural as the service provider by uploading an XML file:

  1. From the SSO page of the company dashboard, click Upload XML file.

  2. Select the XML file downloaded from your IdP.

  3. Click Open. The Sign in URL and Sign in certificate auto populate.

If uploading an XML file is unsuccessful, you can also complete this form manually. If this sounds complicated, don’t worry. You can still find the necessary information in the metadata file you downloaded from your IdP. You’ll just need to open it in your browser or a text editor to view it.

To configure Mural as the service provider manually:

  1. From the SSO page of the company dashboard, enter your IdP’s Sign in URL.

  2. Paste or upload your IdP’s Sign in certificate.

  3. Select a Request binding type. The default is HTTP-POST.

  4. Select a Sign in algorithm type. The default is SHA256.

  5. Select/deselect Disable audience validation. This is not selected by default.

  6. Select/deselect Disable signing authentication request. This is not selected by default.

Add claim mapping

Now, you’re ready to add claim mapping. Claim mapping is like the final piece of the bridge you’re building between Mural and your IdP. Let’s say Mural speaks one language and your IdP speaks another. Claim mapping acts as the translator between them.

With claim mapping, you can take attributes from an IdP and assign them to attributes within Mural. For example, one IdP might refer to an individual’s email as emailAddress while another might refer to it as simply email. This is called an attribute’s name. And Mural needs to know that name so it can correctly interpret information from an IdP.

You’ll find the name of each attribute in the same XML metadata file you downloaded from your IdP earlier. These names are in lines of code that look like this:

<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

In this example, you can see that the IdP refers to someone’s email address as just email. That’s found here: Name=”email”.

Keep in mind that each XML file looks slightly different. So, be prepared to look through the file until you find what you need. To help your search, here are the attributes you need to configure in Mural:

  • Email address.

  • First name.

  • Last name.

  • (Optional) Avatar.

  • (Optional) External ID.

While the External ID is optional, it can be a good idea to include it. On the IdP’s end, the External ID could be a UPN or an employee ID number. Whatever the value, it serves as a unique identifier in case a member’s email changes. For example, if someone’s email changes, the external ID can still identify them so they maintain access even if they’re using a different email. If this happens, Mural automatically updates their member account to reflect their new email address.

Once you’ve found the names of these attributes in your IdP’s XML file, you’re ready to set up claim mapping in your company dashboard.

To configure claim mapping in Mural:

  1. From the SSO page of the company dashboard, enter your IdP’s Email address attribute name.

    Note: The value from the email address claim is used as the unique identifier and email address of a member’s Mural account. If you have existing members using Mural, make sure the claim value matches the email of their existing Mural account.


  2. Enter your IdP’s First name attribute name.

  3. Enter your IdP’s Last name attribute name.

  4. (Optional) Enter your IdP’s Avatar attribute name.

  5. (Optional) Enter your IdP’s External ID attribute name.

Test the SSO configuration

A successful simulated test of your SSO configuration is required before you can save it. You can do this right from the SSO page on your company dashboard.

Note: Testing your SSO configuration simulates a flow between Mural and your IdP. For this to work, you need credentials with your IdP.

To test your SSO configuration:

  1. From the SSO page of the company dashboard, click Test single sign-on. The page redirects to your IdP.

  2. Enter your credentials on the IdP page, if requested. The page returns to Mural.

  3. Verify all attributes mapped correctly in the sample fields shown.

  4. Copy the SSO test link and share it with others to test from more browsers and devices.

    Note: The SSO test link is valid for 60 minutes after you run your test.

  5. Click Save single sign-on.

  6. Click Yes when prompted.

Note: Once you save your SSO configuration, SSO will be enabled for all members. This does not interrupt existing sessions, but all members will be prompted to log in using SSO on their next session.

If your test is not successful, review your metadata entries in both Mural and your IdP to ensure they are correct. Then, run your test again. If you’re unable to fix the issue, reach out to Mural Support for assistance.

FAQ (frequently asked questions)

If you have any questions on SSO, look for answers on our SSO FAQ page.

Did this answer your question?