Setting up SSO and SAML authentication in monday.com Enterprise
We're moving to monday.com Enterprise and need to set up SAML SSO with Okta/Google Workspace. What's the proper configuration and what security considerations should we address?
3 Answers
Here's the Enterprise SSO setup process: 1) In monday.com, go to Admin > Security > Single Sign-On. 2) Choose your IdP (Okta, Google, Azure AD, etc.). 3) Download the SAML metadata file. 4) In your IdP, create a new SAML application and upload the metadata. 5) Configure attribute mapping: Email (required), First Name, Last Name. 6) Enable 'Enforce SSO' in monday.com to require SSO for all logins. Key security considerations: Enable MFA requirements in the IdP, set up session timeout policies (we use 4 hours), configure automatic user deprovisioning when employees leave (SCIM integration), and review the 'Login History' dashboard regularly. The monday.com support team was actually very helpful during our setup - schedule a call with them.
We use Okta with monday.com. The key is setting up the correct attribute statements. Okta requires: NameID format set to 'emailAddress', and attributes for firstName and lastName. One common issue: make sure the email in monday.com matches exactly with the IdP - domain matching alone isn't enough. Also, test thoroughly with a small group before rolling out to everyone.
Don't forget about SCIM (System for Cross-domain Identity Management) for automated user provisioning. This automatically adds/removes users based on your IdP. Combined with SSO, it provides complete lifecycle management. We also set up conditional access policies in Azure AD to only allow monday.com access from managed devices. This is crucial for compliance requirements.