Miro SAML Single Sign-On (SSO) integration
This topic contains procedures to configure AppName for Single Sign-On (SSO) in CyberArk Identity using SAML.
With CyberArk Identity, you can choose single-sign-on (SSO) access to the Miro web application with IdP-initiated SAML SSO (for SSO access through the Identity User Portal) or SP-initiated SAML SSO (for SSO access through the Miro web application), or both. Providing both methods gives you and your users maximum flexibility.
AppName SSO supported features
This application template supports the following features:
-
SP-initiated SSO
-
IDP-initiated SSO
-
SCIM-based user provisioning
-
Role-to-Group Mapping (Group should be created in the Miro Admin Portal prior to mapping)
Prerequisites for AppName SSO
Configuring the Miro SAML template for SSO requires a Miro account with Enterprise access.
Configure the AppName app template in the Identity Administration portal
The following procedure describes the steps in the Identity Administration portal needed to configure the AppName app template for SSO.
Step 1: Add the AppName web app template.
-
In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.
-
On the Search page, enter the application name in the Search field and click the search button.
-
Next to the application name, click Add.
-
On the Add Web App page, click Yes to confirm.
-
Click Close to exit the Application Catalog.
The application opens to the Settings page.
Step 2: Configure the Settings page.
Set an app name, description, category, and logo if you want to change them.
Step 3: Configure the Trust page.
-
In the Identity Provider Configuration section, select Metadata, then click Download Metadata File to download the IdP metadata.
This file is used later when you configure the SAML integration in AppName.
-
In the Service Provider Configuration section, select Manual Configuration, then review the following pre-configured SAML settings and click Save after you finish.
Setting Description SP Entity ID
Matches the service provider identifier URL found in the Miro Admin Portal. Assertion Consumer Service (ACS) URL
Matches the service provider reply URL from the Miro Admin Portal.
Step 4: Configure the Permissions page to grant AppName users SSO access.
Grant SSO access to AppName by assigning permissions to users, groups, or roles.
-
On the Permissions page, click Add.
-
Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.
The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.
-
Select the permissions you want and click Save.
Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.
Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.
Step 5: Review and save.
Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.
Configure Miro for SAML single sign-on
The following procedure describes the steps in the Miro Admin Portal needed to configure the Miro app template for SSO.
-
Sign in to Miro with enterprise credentials.
-
Click the Profile Icon, then go to Profile Settings > Security.
-
Enable SSO/SAML.
-
Enter SAML Sign-in URL and Key x509 Certificate detail.
The detail is available in downloaded metadata from CyberArk Idaptive portal. Refer to Configure the Trust page.
-
Enter the email domain and validate the domain with an email under the same domain.
-
Click Save
AppName SCIM provisioning
SCIM is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as SAML apps. For more information about SCIM, see https://scim.cloud/ and https://datatracker.ietf.org/doc/html/rfc7644.
Step 1: Enable SCIM provisioning in Miro.
-
Click the Profile Icon, then go to Profile Settings > Security.
-
Enable SCIM Provisioning.
-
Select the Send email notifications to users provisioned by SCIM checkbox if you want to send notification email to users.
-
Copy the Base URL and Api Token values.
You need these values to enable SCIM provisioning in CyberArk Identity Miro app template.
Step 1: Enable SCIM provisioning in CyberArk Identity.
-
Enter SCIM Service URL and Bearer Token values.
These are the values you copied from Miro in Enable SCIM provisioning in Miro.
CyberArk Identity field Miro equivalent field SCIM Service URL Base URL Bearer Token Api Token -
Click Verify.
-
Under Sync Options, specify how CyberArk Identity handles situations when it determines that the user already has an account in the target application.
How CyberArk Identity determines duplicate user accounts:
If the user accounts in CyberArk Identity and the target application match for the fields that make the user unique, then CyberArk Identity handles the user account updates according to your instructions. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that CyberArk Identity uses to match user accounts.
-
Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from CyberArk Identity).
-
Do not sync (no overwrite): Keeps the target user account as it is; CyberArk Identity skips and does not update duplicate user accounts in the target application.
-
Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.
- Select Deprovision users in this application when they are disabled in source directory to enable the feature.
If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.
-
-
Provide necessary role mappings as shown in the image below.
-
If required, provide necessary mappings under Provisioning Script section.
-
Click Save.
Now the application is ready for SCIM provisioning.
Additional information
While for IDP-initiated SSO testing, launching the application from CyberArk Identity User Portal should launch the app, for SP-initiated SSO, use the following URL:
For additional resources, refer to integration support documents at:
https://help.miro.com/hc/en-us/articles/360017571414-Single-sign-on-SSO-