Configure SSO with Mural and Okta
Configure SSO for Mural using our dedicated Okta integration.
Brian Saladino avatar
Written by Brian Saladino
Updated over a week ago

To make it easy and secure for everyone in your organization to access Mural, you might integrate Mural with your company’s SSO (single sign-on) solution. SSO allows your employees to authenticate into Mural using their existing company SSO credentials. And since Okta is one of the most common IdPs (identity providers) used for SSO, Mural offers a dedicated Okta integration that can speed up configuration.

For more on identity and access management, see our identity and access management overview.


Contents


Pre-configuration

Before you start connecting Mural to Okta, there are a couple of housekeeping items to take care of. First, you’ll need access to the Mural company dashboard. Then, you’ll download a report of all current Mural member accounts so you can ensure they maintain their access.

Confirm access to the company dashboard

To configure SSO, you’ll need access to the Mural company dashboard. If you don’t have access, please reach out to your Mural company admin. Your company admin can either assist with parts of this configuration or they can work with Mural Support to grant you a company admin role. If you don’t know who your company admin is, contact Mural Support for help.

Download Mural members report

To ensure all existing Mural members maintain their access once you connect to Okta, it’s important to review their current account details.

First, download the Total Members report from the company dashboard. Here, you can view each member account and its associated email address. Review each account, ensuring its email address matches the email addresses used by your SSO IdP. If there are any discrepancies, reach out to Mural Support to make updates prior to SSO deployment. When reaching out, please provide:

  • A list of current Mural member accounts' email addresses and the email addresses they should be changed to.

  • SSO implementation date.

Note: Information from the Total Members report can help you establish security groups in your IdP, if applicable, so keep this report handy for future use.


Configuration

Install the Mural Okta integration

The first half of this configuration happens in Okta. So, install our Okta integration and follow the Okta-specific instructions. Then, return to this article when you’re instructed to configure Mural. Below you’ll find key details needed to configure Okta.

SAML configuration details:

  • Entity ID URL: https://app.mural.co

  • ACS (Assertion Consumer Service) URL: https://app.mural.co/api/v0/authenticate/saml2/callback

(Optional) IdP-initiated authentication:

Mural SSO supports SP-initiated authentication by default. This is when authentication begins with the SP (service provider, and in this case, Mural). That means authentication starts at http://app.mural.co. Mural can be configured for IdP-initiated authentication, where the authentication process begins with your IdP instead, by generating a relay state value and saving it in your IdP’s SAML settings.

To set up an IdP-initiated flow:

  • Retrieve your Mural company ID from your company dashboard URL. For example: https://app.mural.co/c/YourCompanyId/insights

  • Encode a relay state value by going to https://www.base64encode.org/ and entering the following string with your corresponding company ID. No other value in this string should be updated:

    {"login":true,"returnUrl":"/dashboard","wasVisitorBefore":false,"identityProviderName":"putYourCompanyIdHere"}

  • Save the encoded value in your IdP SAML setting’s Relay State field.

SAML claims:

Mural user accounts require a first name, last name, and email address to be successfully provisioned and authenticated. The email address is considered the user account’s unique identifier in Mural. In your IdP, you also need to configure specific SAML claims attributes for SSO to work properly with Mural. Here are the required attributes:

  • Name ID (must be formatted as an email address).

  • Email.

  • First Name.

  • Last Name.

Provisioning with SSO

Mural user accounts are created via JIT (Just-In-Time) provisioning. This means a user’s account is created when they sign in for the first time. However, we recommend configuring automated SCIM provisioning alongside SSO if your IdP supports it. For more information, read our SCIM provisioning article.

Upload Okta’s metadata to Mural

With Okta’s metadata in hand, you’re ready to configure the Mural side of SSO. The first step is to upload that metadata on the SSO page of your company dashboard.

To upload Okta’s metadata into Mural:

  1. Click your name in the top right corner of Mural.

  2. Select Company administration.

  3. Click SSO in the left sidebar.

  4. Click Upload XML file.

  5. Select the XML file downloaded from Okta.

  6. Click Open. The Sign in URL and Sign in certificate auto populate.

  7. Select HTTP-POST as the Request binding type.

  8. Select SHA256 as the Sign in algorithm type.

Add claim mapping

Now, you’re ready to add claim mapping. Claim mapping is like the final piece of the bridge you’re building between Mural and Okta. Let’s say Mural speaks one language and Okta speaks another. Claim mapping acts as the translator between them.

With claim mapping, you can take attributes from Okta and assign them to attributes within Mural. For example, Okta refers to an individual’s first name as firstName. This is called the attribute’s name, and Mural needs to know those names to find all the data it’s looking for.

To configure claim mapping in Mural:

  1. From the SSO page of the company dashboard, type email in the Email address field.

    Note: The value from the email address claim is used as the unique identifier and email address of a member’s Mural account. If you have existing members using Mural, make sure the claim value matches the email of their existing Mural account.

  2. Type firstName in the First name field.

  3. Type lastName in the Last name field.

  4. Type externalId in the External ID field.


Test the SSO configuration

A successful simulated test of your SSO configuration is required before you can save it. You can do this right from the SSO page on your company dashboard.

To test your SSO configuration:

  1. From the SSO page of the company dashboard, click Test single sign-on. The page redirects to Okta.

  2. Type your Okta credentials, if requested. The page returns to Mural.

  3. Verify all attributes are mapped correctly in the sample fields shown.

  4. Copy the SSO test link and share it with others to test the configuration from more browsers and devices.

    Note: The SSO test link is valid for 60 minutes after you run your test.

  5. Click Save single sign-on.

  6. Click Yes when prompted.

Note: Once you save your SSO configuration, SSO will be enabled for all members. This does not interrupt existing sessions, but all members will be prompted to log in using SSO on their next session.

If your test is not successful, review your configuration in both Mural and Okta. Then, run your test again. If you’re unable to fix the issue, reach out to Mural Support for assistance.


FAQ (frequently asked questions)

If you have any questions on SSO, look for answers on our SSO FAQ page.

Did this answer your question?