All Collections
Mural for Enterprises
Mural identity and access management
Mural identity and access management
Learn about the options Mural offers for authenticating and provisioning users.
Brian Saladino avatar
Written by Brian Saladino
Updated over a week ago

In order to start using Mural, users must successfully sign in and gain access to a Mural workspace. This article focuses on the different ways users can authenticate in to Mural and the advanced access management options available with Mural Business and Enterprise plans.

Note: You can grant unauthenticated access to individual murals by inviting collaborators as visitors. This is only possible if an authenticated user shares the mural link and if visitor link permissions are enabled.


Signing in to Mural (authentication)

Mural’s built-in authentication feature

Mural natively supports authenticated access by requiring a user to enter their email address and password. New Mural users are prompted to create their password during the initial sign-up process.

Individual users have the option to enable 2FA (two-factor authentication) on their Mural user account but it is not required by default.

Note: Mural’s Enterprise plan provides the option to enforce the usage of 2FA for all users who are using Mural’s built-in authentication feature.

What is SSO (single sign-on)?

A company’s SSO solution enables their employees to sign in to various independent applications using a single set of company-managed credentials. The software hosting the SSO solution is called the IdP (identity provider). An IdP is a third-party system or service that provides authentication and authorization services to other applications or systems, such as Mural. Azure AD (Active Directory) and Okta are examples of popular IdPs.

What are the SSO capabilities of Business/Enterprise plans?

SSO is available to both Enterprise and Business plans. The only difference between the two plan types is that SSO configuration is completely self-serve for Enterprise, whereas Business plan customers must reach out to Mural Support for setup.

Once SSO is configured, employees are redirected to their company’s SSO login screen when signing in using their company email address.

Note: Users with external email addresses will not be prompted to sign in with the company SSO.

What are the advantages of integrating Mural with an SSO solution?

  • Improved user experience: Improves employees’ sign-in experience when using various company apps by consolidating to a single set of credentials.

  • Security benefits: Enables the company’s IT team to enforce their internal authentication process for Mural access. IT admins can allow/deny authenticated access to Mural by leveraging the access management controls within their IdP.

    IT teams typically employ enhanced security policies within their SSO solution (such as longer minimum password length, requiring regular password changes, and enhanced multi-factor authentication options) to ensure all company apps are uniformly secured for authenticated access. These advanced controls are not available with Mural’s built-in authentication feature, but they are with SSO.

How can you integrate Mural SSO with an IdP?

To integrate Mural SSO with an IdP, please see the instructions linked below:

Additionally, we recommend all Mural Enterprise plan customers configure automated SCIM provisioning as well as SSO if their IdP supports it.

Mural user account creation (provisioning)

Mural’s default user account creation/provisioning process

When using Mural’s native authentication feature, first-time Mural users are required to click Create your account, enter their account details manually, and establish a password.

The act of creating a user account during the initial sign-in process is called JIT (Just-In-Time) provisioning. This is the default manual process by which first-time Mural user accounts are created.

Default SSO provisioning process (without SCIM provisioning)

By default, companies with SSO enabled will also leverage JIT provisioning for account creation.

New users are required to click the Create your account link when signing in to Mural for the first time. The user will then be routed to their company’s SSO login screen to complete the authentication process. Once they successfully sign in, their Mural account will be created using the information passed from their identity provider. They will not be required to manually set a password because the company’s SSO integration takes over the Mural authentication process.

SCIM & SSO (only available on Mural’s Enterprise plan)

What is SCIM provisioning?

SCIM (System for Cross-domain Identity Management) is a way to manage user identities and access across different systems and applications. This allows IT admins to automatically create, update, and deactivate Mural member accounts on a Mural product level based on synchronized actions they perform within a company’s IdP. SCIM is only supported for employees at the company, and implementing SSO is a prerequisite when configuring SCIM provisioning.

In addition to automated provisioning, SCIM can automate user profile updates (first name, last name, and email address) based on changes performed in the company’s IdP. If a user leaves the organization, or if their access to Mural has been revoked, a SCIM call is sent in near-real time to deactivate their Mural user account.

SCIM deprovisioning offers enhanced security because the “kick-out” happens immediately. Without SCIM (with only SSO in place), users are simply blocked from signing in again after any active sessions end.

Why would a company implement SCIM provisioning?

  • Improved user experience: SCIM allows new user accounts to be automatically created before they sign in for the first time. As a result, new users are not required to click the Create your account link when signing in to Mural for the first time, giving them quicker access to Mural. The default JIT provisioning setting can be disabled, which allows the IdP to fully control the user account creation process.

  • Security benefits: SCIM offers the ability to automatically deactivate Mural user accounts based on synchronized deprovisioning/deactivation actions performed in the company’s IdP. So, if you deactivate a user in your IdP, that user is also blocked from performing any authenticated activity in Mural. They are also immediately prevented from accessing any Mural content that requires signing in to their Mural user account.

  • Improved synchronization with Mural: SCIM can automatically sync Mural user account attributes (first name, last name, and email address) from a company’s IdP. If users have been provisioned/deprovisioned in the IdP, their active/deactivated status will also be synced over to Mural. All the relevant information from their IdP will be accurately reflected in Mural’s user management portals and native reports/logs.

  • Custom landing page: After implementing SCIM provisioning and turning off JIT provisioning, Enterprise plan customers have the option to leverage a Mural-hosted custom landing page. This is displayed to unprovisioned users when they attempt to sign in to Mural. Company admins can customize the text & the URL behind the button to properly re-route new users to any sort of software request process that might be in place.

How can Enterprise plan customers configure SCIM provisioning?

Note: Integrating Mural with SSO is a prerequisite to configuring SCIM provisioning in your IdP. SCIM provisioning cannot be implemented on its own.

To configure SCIM provisioning, follow the instructions linked below:

Accessing workspaces in Mural

A workspace is where a user creates Mural content and collaborates with others. Companies subscribed to Mural’s Enterprise plan have the ability to create and manage multiple workspaces that reside under their Mural Company tenant. We recommend all new Enterprise plan customers set a default workspace to ensure their employees can gain swift access to Mural. Additional options for establishing new users' access to workspaces can be found in our Set workspaces for new members article.

Those not on an Enterprise plan do not have the option of managing multiple workspaces, so new users are automatically granted access to the single workspace that is part of their plan.

Did this answer your question?