FAQ: SSO

Single Sign-On Authentication (or SSO Authentication) allows you to log in to multiple applications or Service Providers (SP) using a single set of credentials. Once SSO is configured for you, the SP will route you to your Identity Provider (IdP) to enter your credentials. Once you have has entered valid credentials, the IdP will send a message back to MURAL telling you that your credentials are valid and that you should be allowed access to your MURAL instance.

You only need to remember one set of credentials in order to access MURAL. This provides an improved user experience as you do not need to remember multiple passwords.

MURAL is not responsible for managing the identity of the user. Since the credentials are stored with the customer, there is no risk that user credentials can be stolen from MURAL.

Identity Providers can add additional layers of security before allowing access to MURAL. One common additional layer is Multi-Factor Authentication (MFA) where you must have physical access to your phone as a secondary factor to ensure your identity.

Enterprise and Business customers have access to SSO.

Enterprise customers have the ability to configure SSO on their own using the Company Dashboard. Documentation on configuring SAML 2.0 can be found here. Business Customers currently need the support of MURAL resources to configure SSO and should either submit a ticket with Support. Teams+ Customers do not have the ability to configure SSO.

If you're an Enterprise customer, see our MURAL SSO: Enterprise article. If you're a Business customer, see our MURAL SSO: Business article. SSO is only available for our Enterprise and Business customers.

No - all users in your company with your organization’s email domains will have to use SSO if you enable it. You cannot enable it for some users and not for others.

No - once SSO is enabled, all users will have to use their Single-Sign on credentials. There won’t be an option for any user to use their password instead. The only way to go back to using a password is if they disable SSO for the company (all users).

Yes, customer support staff can disable the configuration at any time. All users will go back to logging in with their email and a password. Even if you are on Enterprise (have a company admin and set up SSO on their own) you will not have access to disable it. Only someone from MURAL can turn it off. We can only turn it off if the request comes from the company/workspace/identity provider admin. Please reach out to the Support team (support@mural.co) ff you would like to turn it off.

No - guests will not be affected by SSO. SSO will only affect users with the same email domain as your company. Guests (users outside of your company) will follow their account settings/their own company’s settings for logging in.

Nothing happens to a user’s content when we enable SSO. You will still have access to all of the same workspaces/rooms/murals. The only thing that changes is the way you log in.

Technically, no, you do not need to create an account. When you log in to MURAL, your account will automatically get created using your SSO credentials (as long as you’ve been added to the active directory in the identity provider). However, you will still need an invitation to access the company’s workspace in MURAL.

Yes, the integration supports IDP-initiated flow. We need to provide you with a relay state value to add to your configuration and that will allow you to be able to access MURAL via your app in the identity provider when SSO is enabled.

No, you will still need an invitation to the workspace from MURAL to be able to access it. However, if you are part of an Enterprise plan, you do have an option in company settings to set a default workspace for your users to join when you first join MURAL. This would have you join that default workspace automatically when you join and would only need an invitation if you need access to another workspace (or any specific content within the default workspace).

No, we currently do not support security groups.

SSO login will not be any different on the browser vs. the Windows or IOS application.

Yes, we support SCIM provisioning for enterprise customers. Please click here for more information.