MURAL’s SSO (Single Sign-On) capabilities allow you to use a single set of login credentials across all types of MURAL apps like with web and mobile versions of MURAL. This process shows you how to set up SSO in MURAL.
To do this, you’ll need an IdP (Identity Provider). Common IdPs you can use include Microsoft Azure AD, Okta, OneLogin, and more.
Mural also allows for Just In Time Provisioning within SSO. We have Just In Time Provisioning enabled by default.
1. Go to the MURAL company dashboard and click SSO.
2. Click download MURAL’s metadata.
3. A metadata text file is automatically downloaded. It looks something like this:
4. Go into your IdP and use this metadata file to configure the IdP. We cannot provide exact instructions on how to configure a specific IdP like Azure or OneLogin, because every IdP has a different interface. But eventually, your IdP should be able to generate a configuration XML file. If your IdP does not provide an XML file, you may manually enter the information in MURAL. Here is an example of what this process could look like in Okta:
Please configure these attributes:
1. Name ID - this should be formatted as email address
3. First Name
4. Last Name
5. Go back to the SSO page on the MURAL company dashboard, where you were in step 1.
6. Click Upload XML file.
Note: Here, you are uploading the IdP metadata that you downloaded from your IdP.
7. If step 6 was successful, the page will now be populated with your IdP’s Sign-In URL and Certificate. Confirm that this information is correct. Below is a sample of what this might look like.
8. Sometimes, the sign-in URL doesn’t populate on its own. If this happens, type it in manually. The sign-in URL is within the IdP metadata file. It has the http-post tag. Here is an example of what it looks like:
9. If step 6 was not successful, fill out the form manually. Our default values are the following:
a. Request Binding is HTTP-POST
b. Sign in Algorithm is SHA 256
c. Audience validation is enabled
d. Signing authentication request is enabled
10. Select if you want to enable the following settings:
Disable audience validation setting: When a member logs in their Identity Provider (IdP) to access MURAL, the IdP creates an ‘audience’: a text that is attached to the SAML response that the service provider (i.e. MURAL) checks. Companies can disable this setting if their IdP does not have the possibility to configure the audience when a log-in request comes from a certain application.
Disable signing authentication request setting:
During the SAML SSO authentication flow, there are two signatures required. First when a user logs in and MURAL signs it with their own signature and passes it to the IdP. Then the IdP will fill the form with the profile information and sign it and MURAL will receive the letter and see the signature from the IdP. If you disable signing the authentication request then MURAL will not sign the first certificate when sending the information to the IdP and your IdP will accept any signature.
11. You still need to fill out the Claim Mapping section manually. Look at the metadata file that you uploaded in step 6 (or a sample SAML assertion provided by your IdP) and find where it lists the text that is the email address, the first name, and the last name. Copy and paste the attribute names (not values) for email address, first name and last name into the appropriate Claim Mapping input field.
Note: Every metadata file is different and yours may look different from this or may not contain the attribute names. If you need help finding the attribute names for email, firstname, and lastname, contact your IdP administrator and email email@example.com for additional assistance.
12. Optionally fill out Avatar and External ID:
Avatar: This attribute can be configured to populate the Avatar image within Mural. This attribute is optional and needs to be available as an attribute within the IdP.
External ID: If the email attribute is not matched with a MURAL account (for example if an email address is changed after a user is married), External ID will then be used as a unique identifier to update the MURAL account email for future logins. This attribute is also optional.
*Specification: SSO, once enabled, will stop an individual users from uploading an avatar image. Unless the Avatar is supplied, The SSO setup will leave this attribute blank and members will be unable to upload an image as an avatar.
13. The form should look like this when you’re done:
14. Click Test Single Sign-On.
15. This generates a simulated login flow. You are brought to the IdP login. Log in with your IdP credentials.
Note: A valid MURAL account is not required for this test, only a valid IdP credential.
16. If you see an image that looks like this, then the test was successful:
Note: Once you have a successful test, a URL is generated called an SSO test link, shown above. This link is valid for 60 minutes. You can share this link with coworkers who can use it to also test the login flow using different endpoints (devices, browsers, etc.) to test all of your SSO login scenarios.
17. If you see an error message, then there was either an error in the IdP configuration or in the MURAL SSO configuration. Try to find and fix the error. If you are unable to fix the error, reach out to support at firstname.lastname@example.org. Once you have fixed the error, go back to step 13 and try the test again until it is successful.
18. Once the test is successful, click Save Single Sign-On. This enables SSO for all users within the configured domain.
19. Click Yes when prompted.
*Specifications: This process only sets up the service provider-initiated flow for SSO and not the identity provider-initiated (IDP) flow. The IDP initiated flow can not be tested from the user's end and a company admin needs to reach out to the support team (email@example.com) to get the necessary info to set it up.