This is an article with answers to the most frequently asked questions about configuring and troubleshooting SSO (single sign-on).
Contents
What is SSO?
SSO is a form of authentication that allows users to log in to multiple applications or SP (Service Providers) using a single set of credentials. Once SSO is configured in Mural, the SP routes users to an IdP (Identity Provider) to enter their credentials. Once they’ve entered valid credentials, the IdP confirms their identity with Mural and grants them access to the application.
What are the benefits of SSO?
SSO is great because it means members only need to remember one set of credentials in order to access Mural. With SSO, Mural is not responsible for managing user identities. So, this offers increased security by only storing credentials in one location (with the IdP).
Some IdPs also add additional layers of security such as MFA (multi-factor authentication) that requires a user to have physical access to their phone as a secondary factor to ensure their identity.
Which Mural plans offer SSO?
Customers on Mural’s Enterprise and Business plans have access to SSO.
Enterprise customers can configure SSO on their own using the company dashboard. Business customers looking to set up SSO must reach out to Mural Support for assistance.
SSO is not available on Mural’s Teams+ plan.
How do I set up SSO?
If you're an Enterprise customer, see our Configure SSO with Mural article. If you're a Business customer, see our Business SSO article.
SSO is only available for our Enterprise and Business customers.
Can I turn SSO on for only some users and not for all of them?
No. When SSO is enabled, it applies to all users in your organization.
Can I set up 2FA (two-factor authentication) in Mural?
If you have SSO set up in Mural, 2FA can be configured directly within your IdP (if offered by the IdP). If you do not have SSO configured, Mural offers a 2FA option that individual users can use for added security on their account.
Can users still use a password after turning on SSO?
No. Once SSO is enabled, all users must use their SSO credentials through the IdP. Users aren’t given the option of logging in with their Mural password instead. To go back to using a dedicated Mural password, SSO for the entire company must be disabled.
Can I turn off SSO? What will happen?
Yes, if you’d like to disable SSO, Mural Support can help. The request to disable SSO must come from your company administrator. If disabled, all users will go back to logging in with their dedicated Mural email and password.
Can I enable SSO for guests?
No. Guests aren’t affected by SSO configurations. SSO only affects your company members. For more information on these collaborator types, see our What is a member in Mural? and What is a guest in Mural? articles.
What happens to user content when SSO is enabled?
Nothing happens to a user’s content when SSO is enabled. Users access to all of the same workspaces, rooms, and murals that they did before. The only thing that changes is the way they log in to Mural.
Do first-time Mural users still need to create an account if SSO is enabled?
The default method for account creation when SSO is enabled is called JIT (Just-in-Time) provisioning. This means that a new user account is created upon first login. This account uses the information provided by the IdP to fill in the new user’s details. Keep in mind that new users still need access to a workspace in Mural before they can start collaborating. For more information, see our Set workspaces for new members article.
Note: The only other way to provision new user accounts besides JIT is called SCIM (System for Cross-domain Identity Management). SCIM allows you to automate the creation and deletion of user accounts without relying on user login.
Does Mural SSO support IdP-Initiated flows? Or can I add Mural to our IdP apps directory?
Yes, Mural SSO supports IdP-initiated flows. In order to set this up you’ll need to configure a relay state value within your IdP. For more information, see our Configure SSO with Mural article. If you need assistance, reach out to Mural Support.
Can I use SSO to automatically add users to a workspace?
This is not currently possible with Mural SSO, but will be offered in a future release.
Can Mural support multiple IdPs?
Not at this time. Mural supports multiple email domains but all users will be routed to a single IdP connection per company.
How can I control who can use SSO to log in to Mural?
Before devising your user access strategy we recommend reading our Mural identity and access overview article to understand the tools Mural offers on this subject.
Most IdPs have some sort of authorized groups functionality, which lets you designate only a certain group of people who can use SSO to log in to an application.You might hear these groups referred to as “Security Groups” or even “AD Groups” if working with Azure AD.
Feel free to reach out to Mural Support if you have further questions around this topic and what would work best for your organization.
How does logging in with SSO differ on the iOS or Windows app vs. in the browser?
Logging in with SSO works the same whether you’re using one of our native applications or the browser to collaborate.
Can you pass additional attributes via SSO like department or pronouns?
Not at this time. The only fields accepted via SSO are email, first name, last name, avatar (optional), and external ID (optional).
Does Mural support SCIM provisioning?
Yes, customers on Mural’s Enterprise plan can implement SCIM provisioning. For more information, see our Automated SCIM provisioning article.