All Collections
Mural for Enterprises
SSO (single sign-on)
Configure SSO with Mural and Azure AD
Configure SSO with Mural and Azure AD
Configure SSO for Mural using our dedicated Azure AD app.
Brian Saladino avatar
Written by Brian Saladino
Updated over a week ago

To make it easy and secure for everyone in your organization to access Mural, you might integrate Mural with your company’s SSO (single sign-on) solution. SSO allows your employees to authenticate into Mural using their existing company SSO credentials. And, since Azure AD is one of the most common IdPs (identity providers) used for SSO, Mural offers a dedicated Azure AD app that can speed up configuration.

For more on identity and access management, see our identity and access management overview.

Contents

Pre-configuration

Before you start connecting Mural to Azure AD, there are a couple of housekeeping items to take care of. First, you’ll need access to the Mural company dashboard. Then, you’ll download a report of all current Mural member accounts so you can ensure they maintain their access.

Confirm company dashboard access

To configure SSO, you’ll need access to the Mural company dashboard. If you don’t have access, please reach out to your Mural company administrator. Your company admin can either assist with parts of this configuration or they can work with Mural Support to grant you a company admin role. If you don’t know who your company admin is, contact Mural Support for help.

Download Mural members report

To ensure all existing Mural members maintain their access once you connect to Azure AD, it’s important to review their current account details.

First, download the Total Members report from the company dashboard. Here, you can view each member account and its associated email address. Review each account, ensuring its email address matches the email addresses used by your SSO IdP. If there are any discrepancies, reach out to Mural Support to make updates prior to SSO deployment. When reaching out, please provide:

  • A list of current Mural member accounts' email addresses and the email addresses they should be changed to.

  • SSO implementation date.

Note: Information from the Total Members report can help you establish security groups in your IdP, if applicable, so keep this report handy for future use.

Configuration

Install the Mural Identity app

The first half of this configuration happens in Azure AD. So, install our Mural Identity Azure AD app and follow the Azure AD-specific instructions. Then, return to this article when you’re instructed to configure Mural. Below you’ll find key details needed to configure Azure AD.

SAML configuration details:

  • Entity ID URL: https://app.mural.co

  • ACS (Assertion Consumer Service) URL: https://app.mural.co/api/v0/authenticate/saml2/callback

(Optional) IdP-initiated authentication:

Mural SSO supports SP-initiated authentication by default. This is when authentication begins with the SP (service provider, and in this case, Mural). That means authentication starts at http://app.mural.co. Mural can be configured for IdP-initiated authentication, where the authentication process begins with your IdP instead, by generating a relay state value and saving it in your IdP’s SAML settings.

To set up an IdP-initiated flow:

  • Retrieve your Mural company ID from your company dashboard URL. For example: https://app.mural.co/c/YourCompanyId/insights

  • Encode a relay state value by going to https://www.base64encode.org/ and entering the following string with your corresponding company ID. No other value in this string should be updated:

    {"login":true,"returnUrl":"/dashboard","wasVisitorBefore":false,"identityProviderName":"putYourCompanyIdHere"}

  • Save the encoded value in your IdP SAML setting’s Relay State field.

SAML claims:

Mural user accounts require a first name, last name, and email address to be successfully provisioned and authenticated. The email address is considered the user account’s unique identifier in Mural. In your IdP, you also need to configure specific SAML claims attributes for SSO to work properly with Mural. Here are the required attributes:

  • Name ID (must be formatted as an email address).

  • Email.

  • First Name.

  • Last Name.

Provisioning with SSO

Mural user accounts are created via JIT (Just-in-Time) provisioning. This means a user’s account is created when they sign in for the first time. However, we recommend configuring automated SCIM provisioning alongside SSO if your IdP supports it. For more information, read our SCIM provisioning article.

Upload Azure AD’s metadata to Mural

After you’ve completed the necessary steps in Azure AD, you’ll download the federation metadata XML file and upload it to the SSO page of the Mural company dashboard.

To upload Azure AD’s metadata into Mural:

  1. Click your name in the top right corner of Mural.

  2. Select Manage company.

  3. Click SSO in the left sidebar.

  4. Click Upload XML file.

  5. Select the XML file downloaded from Azure AD.

  6. Click Open. The Sign in URL and Sign in certificate auto populate.

    Note: If these fields don’t auto-populate, copy and paste the details directly from Azure AD.

  7. Select HTTP-POST as the Request binding type.

  8. Select SHA256 as the Sign in algorithm type.

Add claim mapping

Now, you’re ready to add claim mapping. Claim mapping is the final piece of the bridge you’re building between Mural and Azure AD. Let’s say Mural speaks one language and Azure AD speaks another. Claim mapping acts as the translator between them.

With claim mapping, you can take attributes from Azure AD and assign them to attributes within Mural. For example, Azure AD refers to an individual’s email address using the URL http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. This is called the attribute’s name, and Mural needs to know those names to find all the data it’s looking for.

To configure claim mapping in Mural:

  1. From the SSO page of the company dashboard, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in the Email address field.

    Note: The value from the email address claim is used as the unique identifier and email address of a member’s Mural account. If you have existing members using Mural, make sure the claim value matches the email of their existing Mural account.

  2. Type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname in the First name field.

  3. Type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname in the Last name field.

Test the SSO configuration

A successful simulated test of your SSO configuration is required before you can save it. You can run a test right from the SSO page on your company dashboard.

To test your SSO configuration:

  1. From the SSO page of the company dashboard, click Test single sign-on. The page redirects to Azure AD.


  2. Enter your Azure AD credentials, if requested. The page returns to Mural.

  3. Verify all attributes mapped correctly in the sample fields shown.

  4. Copy the SSO test link and share it with others to test from more browsers and devices.

    Note: The SSO test link is valid for 60 minutes after you run your test.

  5. Click Save single sign-on.

  6. Click Yes when prompted.

Note: Once you save your SSO configuration, SSO will be enabled for all members. This does not interrupt existing sessions, but all members will be prompted to log in using SSO on their next session.

If your test is not successful, review your configuration in both Mural and Azure AD. Then, run your test again. If you’re unable to fix the issue, reach out to Mural Support for assistance.

FAQ (frequently asked questions)

If you have any questions on SSO, look for answers on our SSO FAQ page.

Did this answer your question?