What is Single Sign-On (SSO)?
Single Sign-On (SSO) allows users in your organization to authenticate to the Mistral AI platform using their existing corporate identity provider (IdP) credentials (like Okta, Google Identity Platform, Azure Entra ID).
Enabling SSO for your domain helps to simplify user management and enhance security.
Key Benefits:
Centralized Authentication: Users log in using their familiar corporate credentials, managed by your organization's IdP, reducing password fatigue and the risk associated with multiple credentials.
Simplified User Management: User accounts can be centrally managed and provisioned through your Identity Provider (IdP) and created instantly on our platform upon the user's first sign-in.
๐ Single Sign-On is currently only available for Enterprise plans. Please take a moment to look over this overview for a detailed list of Enterprise features.
Prerequisites
โ ๏ธ Before you can enable this feature, you must successfully verify ownership of your domain within the platform.
๐ For detailed instructions, please see the guide: How do I verify my domain?
Steps to Enable SSO
Configuring SSO involves setting up a SAML application in your identity provider and providing the necessary configuration details to the Mistral AI platform.
1. Navigate to Access Settings
Go to your settings and click on Access
under the Administration section in the left-hand navigation menu.
Click Access
in the administration settings menu
๐ Only users with the Admin
role can configure SSO.
2. Initiate SSO Activation
On the Access
settings page, locate the Authentication
section. Find the Single Sign-On (SAML SSO)
option and click the Activate SSO
button.
Clicking the Activate SSO
button
3. Configure SSO in the Modal
An instruction modal will appear, guiding you through the configuration steps. You will need to coordinate actions between this modal and your identity provider's admin console.
Step 1: Configure SAML Application in your Identity Provider (IdP)
In your IdP's admin console, create a new SAML 2.0 application for Mistral AI.
During setup, your IdP will require specific information from the Mistral AI platform. Copy the
ACS URL
(Assertion Consumer Service URL) andEntity ID
from the modal window and paste them into the corresponding fields in your IdP configuration.
๐ Use the "copy" icon provided in the modal to ensure you capture the full and correct URLs.
Step 2: Configure Attribute Mapping in your IdP
To ensure user details are correctly passed to Mistral AI, you must map attributes in your IdP's SAML application configuration:
Map the user's first name attribute in your IdP to
firstName
.Map the user's last name attribute in your IdP to
lastName
.
๐จ These attribute names (firstName
, lastName
) are case-sensitive.
Configure the
Name ID Format
(also known as Name Identifier Format or Application Username) in your IdP to beEmailAddress
. This ensures the user's email address is used as the primary identifier.
SSO configuration modal showing ACS URL, Entity ID, and attribute mapping requirements
Step 3: Provide IdP Metadata XML
Once your SAML application is correctly configured in your IdP, it should provide you with SAML metadata, usually as an XML file or text to copy.
Paste the whole XML into the text box provided at the bottom of the Mistral AI SSO configuration modal.
Click the
Enable SSO
button.
Past the IdP metadata XML then click on Enable SSO
4. Confirmation and Troubleshooting
If the configuration is valid, you will receive a success message, and SSO will be enabled for your domain. Users attempting to log in with an email from your verified domain will now be redirected to your IdP.
If you encounter an error, double-check that the SAML application in your IdP is configured correctly (ACS URL, Entity ID, Attribute Mapping, Name ID Format) and that the pasted XML is accurate and complete.
If issues persist, feel free to contact our support for further assistance.
๐ Should you ever need to deactivate this feature, please refer to the related article: How do I disable Single Sign-On (SSO) ?