Skip to main content

What is Single Sign-On (SSO) and how do I enable it for my organization ?

Updated today

What is Single Sign-On (SSO)?

Single Sign-On (SSO) allows users in your organization to authenticate to the Mistral AI platform using their existing corporate identity provider (IdP) credentials (like Okta, Google Identity Platform, Azure Entra ID).

Enabling SSO for your domain helps to simplify user management and enhance security.

Key Benefits:

  • Centralized Authentication: Users log in using their familiar corporate credentials, managed by your organization's IdP, reducing password fatigue and the risk associated with multiple credentials.

  • Simplified User Management: User accounts can be centrally managed and provisioned through your Identity Provider (IdP) and created instantly on our platform upon the user's first sign-in.

๐Ÿ”‘ Single Sign-On is currently only available for Enterprise plans. Please take a moment to look over this overview for a detailed list of Enterprise features.

Prerequisites

โš ๏ธ Before you can enable this feature, you must successfully verify ownership of your domain within the platform.

๐Ÿ”Ž For detailed instructions, please see the guide: How do I verify my domain?

Steps to Enable SSO

Configuring SSO involves setting up a SAML application in your identity provider and providing the necessary configuration details to the Mistral AI platform.

1. Navigate to Access Settings

Go to your settings and click on Access under the Administration section in the left-hand navigation menu.

image

Click Access in the administration settings menu

๐Ÿ”‘ Only users with the Admin role can configure SSO.

2. Initiate SSO Activation

On the Access settings page, locate the Authentication section. Find the Single Sign-On (SAML SSO) option and click the Activate SSO button.

image

Clicking the Activate SSO button

3. Configure SSO in the Modal

An instruction modal will appear, guiding you through the configuration steps. You will need to coordinate actions between this modal and your identity provider's admin console.

Step 1: Configure SAML Application in your Identity Provider (IdP)

  • In your IdP's admin console, create a new SAML 2.0 application for Mistral AI.

  • During setup, your IdP will require specific information from the Mistral AI platform. Copy the ACS URL (Assertion Consumer Service URL) and Entity ID from the modal window and paste them into the corresponding fields in your IdP configuration.

๐Ÿ“Œ Use the "copy" icon provided in the modal to ensure you capture the full and correct URLs.

Step 2: Configure Attribute Mapping in your IdP

  • To ensure user details are correctly passed to Mistral AI, you must map attributes in your IdP's SAML application configuration:

    • Map the user's first name attribute in your IdP to firstName.

    • Map the user's last name attribute in your IdP to lastName.

๐Ÿšจ These attribute names (firstName, lastName) are case-sensitive.

  • Configure the Name ID Format (also known as Name Identifier Format or Application Username) in your IdP to be EmailAddress. This ensures the user's email address is used as the primary identifier.

image

SSO configuration modal showing ACS URL, Entity ID, and attribute mapping requirements

Step 3: Provide IdP Metadata XML

  • Once your SAML application is correctly configured in your IdP, it should provide you with SAML metadata, usually as an XML file or text to copy.

  • Paste the whole XML into the text box provided at the bottom of the Mistral AI SSO configuration modal.

  • Click the Enable SSO button.

image

Past the IdP metadata XML then click on Enable SSO

4. Confirmation and Troubleshooting

If the configuration is valid, you will receive a success message, and SSO will be enabled for your domain. Users attempting to log in with an email from your verified domain will now be redirected to your IdP.

If you encounter an error, double-check that the SAML application in your IdP is configured correctly (ACS URL, Entity ID, Attribute Mapping, Name ID Format) and that the pasted XML is accurate and complete.

If issues persist, feel free to contact our support for further assistance.

๐Ÿ”Ž Should you ever need to deactivate this feature, please refer to the related article: How do I disable Single Sign-On (SSO) ?

Did this answer your question?