Single Sign-On is only available in our Plus and Enterprise Network plans. Plus plan admins can configuring the SSO authentication flow through the MURAL Support team. Enterprise Network plan admins can configure SSO using the guide here.
Download this file. Set up your Identity Provider using the info here (or here, for ADFS). Send the config. info to firstname.lastname@example.org and we'll arrange a meeting to finish up the SSO config with you.
MURAL offers the possibility of configuring an SSO Integration in Plus workspaces, provided you have a private domain. Public email domains such as Gmail or Outlook cannot be set up with a custom SAML Integration.
The steps to set up an SSO integration are:
- Configure your Identity Provider
- Send the metadata file, certificate and attribute names to email@example.com
- Configure the Service Provider - this is done by the MURAL team
- Test the authentication flow together with the MURAL team
- Go Live!
1. Configure the Identity Provider
MURAL can be integrated with most Identity Providers in the market.
If you have an ADFS Identity Provider please access the documentation here.
For other Identity Providers, use this guide.
Configure IDP-Initiated Flow
By default, the SSO integration will support SP-initiated flow (when the authentication process begins in https://app.mural.co). However, MURAL also supports IDP-initiated flow for our SAML 2.0 integration. In order to configure IDP-initiated flow, it’s necessary to add a relay state in the IDP configuration. The relay state value is tied to each company and needs to be requested from a MURAL representative.
Note: You will need to download the IDP Metadata file from this link
2. Send the Configuration Settings to MURAL
Send the completed IDP Metadata file email to firstname.lastname@example.org.
In the email, you should include the following information:
- IDP Metadata File
- SAML Attribute names (the claim names) for Email, First name and Last name. You can optionally add Avatar and External ID [external ID would be an employee identification number or something that wouldn't change even if the user's email changes. we encourage sending us an external ID attribute if you have one, this means that if an email changes at the company, it'll automatically change on our end too.]
- Domains of your organization
3. Configure the Service Provider
With this information, the MURAL team will schedule a meeting with you (or your identity management team) to configure the Service Provider. During this meeting, MURAL will provide a test link to verify the Integration before implementing it for your Plus workspace.
4. Testing the Authentication Flow
Once the MURAL Representative sends you the test link, you will have an hour to test the integration. If the link expires, you will need to request a new one.
The first step of the test flow is the IDP login, where you will need to authenticate in your IDP. If it’s correct, the next step will show a profile page like the one below, with mapped information. It’s important to check that the Email, First Name and Last Name fields are correctly mapped.
If there is an authentication error in the testing flow, changes from the IDP or SP might be needed.
5. Go Live!
The last step of the configuration process is to set the new SSO integration flow live. After the integration is configured from both sides (IDP & SP) and tested successfully, you will need to coordinate a date with MURAL to go live.
Once the Integration goes live, you can test it by logging in via https://app.mural.co
End-User Experience After Applying the Configuration
Implementing the new SSO integration will not significantly change the end-user experience.
Currently logged-in users will not be signed out. The next time they sign-in they will be redirected to the SSO flow.
New users, on the other hand, will auto-provision their accounts through the SSO process from either SP or IDP initiated flows.