Miro SAML Single Sign-On (SSO) integration

This topic contains procedures to configure Miro for Single Sign-On (SSO) in CyberArk Identity using SAML.

With CyberArk Identity, you can choose single-sign-on (SSO) access to the Miro web application with IdP-initiated SAML SSO (for SSO access through the CyberArk Identity User Portal) or SP-initiated SAML SSO (for SSO access through the Miro web application), or both. Providing both methods gives you and your users maximum flexibility.

Miro SSO supported features

This application template supports the following features:

  • SP-initiated SSO

  • IDP-initiated SSO

  • SCIM-based user provisioning

  • Role-to-Group Mapping (Group should be created in the Miro Admin Portal prior to mapping)

Prerequisites for Miro SSO

Configuring the Miro SAML template for SSO requires a Miro account with Enterprise access.

Configure the Miro app template in the CyberArk Identity Admin Portal

The following procedure describes the steps in the CyberArk Identity Admin Portal needed to configure the Miro app template for SSO.

Step 1: Add the Miro web app template.

  1. In the Admin Portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

  2. On the Search tab, enter the application name in the Search field and click the search icon.

  3. Next to the application name, click Add.

  4. In the Add Web App screen, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure the Settings page.

Set an app name, description, category, and logo if you want to change them.

Step 3: Configure the Trust page.

  1. In the Identity Provider Configuration section, select Metadata, then click Download Metadata File to download the IdP metadata.

    This file is used later when you configure the SAML integration in Miro.

  2. In the Service Provider Configuration section, select Manual Configuration, then review the following pre-configured SAML settings and click Save after you finish.

    Setting Description

    SP Entity ID

    Matches the service provider identifier URL found in the Miro Admin Portal.

    Assertion Consumer Service (ACS) URL

    Matches the service provider reply URL from the Miro Admin Portal.

Step 4: Configure the Permissions page to grant Miro users SSO access.

Grant SSO access to Miro by assigning permissions to users, groups, or roles.

  1. On the Permissions page, click Add.

    The Select User, Group, or Role window appears.

  2. Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want and click Save.

    Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Change the permissions if you want to add additional control or you prefer not to automatically deploy the application.

Step 5: Review and save.

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Configure Miro for SAML single sign-on

The following procedure describes the steps in the Miro Admin Portal needed to configure the Miro app template for SSO.

  1. Sign in to Miro with enterprise credentials.

  2. Click the Profile Icon, then go to Profile Settings > Security.


  3. Enable SSO/SAML.

  4. Enter SAML Sign-in URL and Key x509 Certificate detail.

    The detail is available in downloaded metadata from CyberArk Idaptive portal. Refer to Configure the Trust page.

  5. Enter the email domain and validate the domain with an email under the same domain.

  6. Click Save

Miro SCIM provisioning

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.

Step 1: Enable SCIM provisioning in Miro.

  1. Click the Profile Icon, then go to Profile Settings > Security.

  2. Enable SCIM Provisioning.

  3. Select the Send email notifications to users provisioned by SCIM checkbox if you want to send notification email to users.

  4. Copy the Base URL and Api Token values.

    You need these values to enable SCIM provisioning in the CyberArk Identity Miro app template.

Step 1: Enable SCIM provisioning in CyberArk Identity.

  1. Enter SCIM Service URL and Bearer Token values.

    These are the values you copied from Miro in Enable SCIM provisioning in Miro.

    CyberArk Identity field Miro equivalent field
    SCIM Service URL Base URL
    Bearer Token Api Token
  2. Click Verify.

  3. Under Sync Options, specify how the CyberArk Identity handles situations when it determines that the user already has an account in the target application.

    How the CyberArk Identity determines duplicate user accounts:

    If the user accounts in the CyberArk Identity and the target application match for the fields that make the user unique, then CyberArk Identity handles the user account updates according to your instructions. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that CyberArk Identity uses to match user accounts.

    • Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from the CyberArk Identity).

    • Do not sync (no overwrite): Keeps the target user account as it is; CyberArk Identity skips and does not update duplicate user accounts in the target application.

    • Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.

    • Select Deprovision users in this application when they are disabled in source directory to enable the feature.

      If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.

  4. Miro does not support creating groups. You need to uncheck the Sync groups from local directory to target checkbox.
  5. Provide necessary role mappings as shown in the image below.

  6. If required, provide necessary mappings under Provisioning Script section.

  7. Click Save.

    Now the application is ready for SCIM provisioning.

Additional information

While for IDP-initiated SSO testing, launching the application from CyberArk Identity User Portal should launch the app, for SP-initiated SSO, use the following URL:

https://miro.com/sso/login/

For additional resources, refer to integration support documents at:

https://help.miro.com/hc/en-us/articles/360017571414-Single-sign-on-SSO-