Skip to main content
Answered

SSO loop

Peter J Borsella

Hello,

I have the Miro Consultant plan, and one of my customers is caught in a loop regarding SSO.  Here’s what I suspect is the set up:

  • the larger corporate customer of mine has a Miro account established with SSO, but not everyone at this large company has been given Miro access.
  • the individual at this corporation I’m working with, Billy, is one of those people who have not been connected to that SSO capability.
  • when Billy tries to create a Miro account using his corporate email address, he gets caught in a loop while trying to proceed with Miro without using SSO.  He selects the “sign in without SSO” option, but that takes him right back to the SSO signin screen.

I have screen shots Billy took explaining this to me, but don’t see any way to upload a file.  Is Billy’s only option to not use his corporate email address to create a Miro account?

Any ideas would be appreciated!
….Peter

Best answer by Peter J Borsella

I’ve been delayed in coming back to this topic, but those of you interested might find the reply I received helpful…

----------  My email to Miro support follows -----------------------

It appears that when a corporation has a Miro account set up for SSO with their domain, all user emails under that domain need to sign on using SSO. However, not all members of the corporation are authorized Miro users, so the only other option is for them to use a personal email, which for some, is an added burden. Is there no way to allow them to "register/sign in using your email without SSO"?

----------  Excerpt from Miro support follows -----------------------

Thanks for reaching out and addressing your request! I'm happy to help :) 
 

It appears that when a corporation has a Miro account set up for SSO with their domain, all user emails under that domain need to sign on using SSO.


SSO affects only members and non-team users who have access to the Enterprise/ Business account when their profile domain reaches one of the account's verified domains. 

To be more precisely, for a user to log in via SSO, all of the following conditions must be met simultaneously (if one of these conditions is not met, users will be able to log in using other authorization options (the standard login+password, Google, Facebook, Slack, and O365 buttons):
 

  • User must be a member or a non-team user of the account with SSO enabled.


- A Member is a user who takes a seat in your account. They have access to all the team-shared boards and can create their own boardsprojects there.

- A Non-Team user is a collaborator who doesn't have access to all the boards in your team and can't create their own. They only see those boards to which you invited them specifically with either commenting or viewing access level.
 

  • The email address of the user should be associated with the Enterprise account's verified domains.


For example, if the user is a non-team member in your account, but the email contains the @gmail.com domain, while the verified domain in the account is @clarkconstruction.com, this user should log in via standard authorization options.
 

Is there no way to allow them to "register/sign in using your email without SSO"?


Answering your question, users with their personal email addresses with public domains (gmail.com) or with domains, that are not verified in the account with SSO enabled, will be able to be members of the account, but should log in via other authorization options (the standard login+password, Google, Facebook, Slack, and O365 buttons).

View original
Soumyadeep Mandal
1 person likes this
  • Soumyadeep Mandal
    Soumyadeep Mandal
Was it helpful?
This topic has been closed for comments

7 replies

Robert Johnson
Forum|alt.badge.img+13
  • Robert Johnson
  • Volunteer Community Moderator
  • 7332 replies
  • April 26, 2021

@Peter J Borsella - Thanks for the detailed description of the issue. For starters, you should be able to insert Billy’s screenshots using the insert image option:

 

Volunteer Community Moderator | Visual Thinker | Frame many items at once using MultiFrame.ca
Peter J Borsella
1 person likes this
  • Peter J Borsella
    Peter J Borsella
Robert Johnson
Forum|alt.badge.img+13
  • Robert Johnson
  • Volunteer Community Moderator
  • 7332 replies
  • April 26, 2021

@Peter J Borsella - Also, have you had a chance to review the SSO Help Center article?

https://help.miro.com/hc/en-us/articles/360017571414-Single-Sign-On-SSO-

Volunteer Community Moderator | Visual Thinker | Frame many items at once using MultiFrame.ca
Peter J Borsella

Hello,

Yes, I checked the help doc, and could only find this telling item:

“Your company account's end-users with the corporate domains must log into Miro via the SSO option using their identity provider credentials.”

Does this really mean that once the corporate domain is established with SSO that users are not allowed to connect to Miro using that domain in any form other than SSO?  That wouled explain the loop.

Also, thanks for the advice on inserting an image:  

 

Robert Johnson
1 person likes this
  • Robert Johnson
    Robert Johnson
Robert Johnson
Forum|alt.badge.img+13
  • Robert Johnson
  • Volunteer Community Moderator
  • 7332 replies
  • April 26, 2021

@Peter J Borsella - I found the following two posts on the subject of SSO and suspect that, yes, now Billy’s email domain is listed in an SSO-capable Miro plan (Business or Enterprise), he may not be able to sign up using email + password:

The way I understand the underlined portion, Billy won’t be able to sign up with an email + password. So, this leads to the question: What do people in Billy’s situation do? Since you are paid customer, you could open a Miro support ticket (and include a link to this post) and ask, but they may be more responsive if the question comes directly from Billy (or you could both ask :wink: ).

As a paid customer you can open the support form link here (and share the same link with Billy):

learning center → Get help → Support

 

Volunteer Community Moderator | Visual Thinker | Frame many items at once using MultiFrame.ca
Peter J Borsella

Thank you for your attentiveness, @Robert Johnson.  This indeed leads me to the conclusion that this could be done better.  I’ll look into opening a ticket, and for now, I can ask Billy and all the other people at his company I’ve encountered with the same problem to try using a personal email.  

….Peter

Robert Johnson
1 person likes this
  • Robert Johnson
    Robert Johnson
Peter J Borsella

I’ve been delayed in coming back to this topic, but those of you interested might find the reply I received helpful…

----------  My email to Miro support follows -----------------------

It appears that when a corporation has a Miro account set up for SSO with their domain, all user emails under that domain need to sign on using SSO. However, not all members of the corporation are authorized Miro users, so the only other option is for them to use a personal email, which for some, is an added burden. Is there no way to allow them to "register/sign in using your email without SSO"?

----------  Excerpt from Miro support follows -----------------------

Thanks for reaching out and addressing your request! I'm happy to help :) 
 

It appears that when a corporation has a Miro account set up for SSO with their domain, all user emails under that domain need to sign on using SSO.


SSO affects only members and non-team users who have access to the Enterprise/ Business account when their profile domain reaches one of the account's verified domains. 

To be more precisely, for a user to log in via SSO, all of the following conditions must be met simultaneously (if one of these conditions is not met, users will be able to log in using other authorization options (the standard login+password, Google, Facebook, Slack, and O365 buttons):
 

  • User must be a member or a non-team user of the account with SSO enabled.


- A Member is a user who takes a seat in your account. They have access to all the team-shared boards and can create their own boardsprojects there.

- A Non-Team user is a collaborator who doesn't have access to all the boards in your team and can't create their own. They only see those boards to which you invited them specifically with either commenting or viewing access level.
 

  • The email address of the user should be associated with the Enterprise account's verified domains.


For example, if the user is a non-team member in your account, but the email contains the @gmail.com domain, while the verified domain in the account is @clarkconstruction.com, this user should log in via standard authorization options.
 

Is there no way to allow them to "register/sign in using your email without SSO"?


Answering your question, users with their personal email addresses with public domains (gmail.com) or with domains, that are not verified in the account with SSO enabled, will be able to be members of the account, but should log in via other authorization options (the standard login+password, Google, Facebook, Slack, and O365 buttons).

Robert Johnson
1 person likes this
  • Robert Johnson
    Robert Johnson
Robert Johnson
Forum|alt.badge.img+13
  • Robert Johnson
  • Volunteer Community Moderator
  • 7332 replies
  • May 5, 2021

@Peter J Borsella - Thanks for the detailed update!

Volunteer Community Moderator | Visual Thinker | Frame many items at once using MultiFrame.ca

Behind the Canvas Highlights + Your Turn to Weigh In

Terms & Conditions