What is Single Sign-On (SSO)?
Single Sign-On Authentication (or SSO Authentication) allows you to log in to multiple applications or Service Providers (SP) using a single set of credentials. Once SSO is configured for you, the SP will route you to your Identity Provider (IdP) to enter your credentials. Once you have has entered valid credentials, the IdP will send a message back to MURAL telling you that your credentials are valid and that you should be allowed access to your MURAL instance.
What are the benefits of SSO?
You only need to remember one set of credentials in order to access MURAL. This provides an improved user experience as you do not need to remember multiple passwords.
MURAL is not responsible for managing the identity of the user. Since the credentials are stored with the customer, there is no risk that user credentials can be stolen from MURAL.
Identity Providers can add additional layers of security before allowing access to MURAL. One common additional layer is Multi-Factor Authentication (MFA) where you must have physical access to your phone as a secondary factor to ensure your identity.
Which MURAL plans support SSO?
Enterprise and Business customers have access to SSO.
Enterprise customers have the ability to configure SSO on their own using the Company Dashboard. Documentation on configuring SAML 2.0 can be found here. Business Customers currently need the support of MURAL resources to configure SSO and should either submit a ticket with Support. Teams+ Customers do not have the ability to configure SSO.
How do I set up SSO?
If you're an Enterprise customer, see our MURAL SSO: Enterprise article. If you're a Business customer, see our MURAL SSO: Business article. SSO is only available for our Enterprise and Business customers.
Can I turn SSO on for only some users and not for all of them?
No - all users in your company with your organization’s email domains will have to use SSO if you enable it. You cannot enable it for some users and not for others.
Can users still use a password after turning on SSO?
No - once SSO is enabled, all users will have to use their Single-Sign on credentials. There won’t be an option for any user to use their password instead. The only way to go back to using a password is if they disable SSO for the company (all users).
Can we turn off SSO? What will happen?
Yes, customer support staff can disable the configuration at any time. All users will go back to logging in with their email and a password. Even if you are on Enterprise (have a company admin and set up SSO on their own) you will not have access to disable it. Only someone from MURAL can turn it off. We can only turn it off if the request comes from the company/workspace/identity provider admin. Please reach out to the Support team (email@example.com) ff you would like to turn it off.
Can SSO be enabled for guests as well?
No - guests will not be affected by SSO. SSO will only affect users with the same email domain as your company. Guests (users outside of your company) will follow their account settings/their own company’s settings for logging in.
What happens to user's content when we enable SSO?
Nothing happens to a user’s content when we enable SSO. You will still have access to all of the same workspaces/rooms/murals. The only thing that changes is the way you log in.
Do users that don't have an account yet need to create one still?
Technically, no, you do not need to create an account. When you log in to MURAL, your account will automatically get created using your SSO credentials (as long as you’ve been added to the active directory in the identity provider). However, you will still need an invitation to access the company’s workspace in MURAL.
Does the SSO Integration support IDP-Initiated flow? Or can I add MURAL to our IDP apps directory?
Yes, the integration supports IDP-initiated flow. We need to provide you with a relay state value to add to your configuration and that will allow you to be able to access MURAL via your app in the identity provider when SSO is enabled.
Is there any way for SSO to allow users to be directly added to the workspace?
No, you will still need an invitation to the workspace from MURAL to be able to access it. However, if you are part of an Enterprise plan, you do have an option in company settings to set a default workspace for your users to join when you first join MURAL. This would have you join that default workspace automatically when you join and would only need an invitation if you need access to another workspace (or any specific content within the default workspace).
Do you support security groups?
No, we currently do not support security groups.
How will SSO log-in differ on the IOS or windows app vs. the browser?
SSO login will not be any different on the browser vs. the Windows or IOS application.
Does MURAL support SCIM provisioning?
Yes, we support SCIM provisioning for enterprise customers. Please click here for more information.