How to secure Monday.com
To configure Monday.com with XFA you need the Enterprise license that includes the SAML Single Sign On feature. You can find more information about the different licenses here.
Monday.com has a Custom SSO feature which uses SAMLv2 which can be used to chain XFA with your identity provider to check device security before allowing a user to login. This guide will describe all steps needed to link Monday.com to your identity provider with XFA.
Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at https://dashboard.xfa.tech/signup.
Configure Monday.com in your identity provider
Use our specific identity provider guides to learn how to setup an application with the provided settings.
Entity ID: https://<YOUR_MONDAY_DOMAIN>.monday.com/saml/saml_callback
ACS URL / Redirect URL: https://device-api.xfa.tech/saml2/consume
Signed Response: false
The ACS URL / Redirect URL is different than the standard Monday.com configuration
Creating an application in XFA
A guide on how to create an application in XFA can be found here.
Assertion Consumer Service URL: https://<YOUR_MONDAY_DOMAIN>.monday.com/saml/saml_callback
SSO URL: (provided by identity provider)
Entity ID: (provided by identity provider)
Certificate: (provided by identity provider)\
Configure Monday.com with XFA
1. Login to Monday.com
Navigate to your Monday.com domain and login with your admin account.
2. Go to Profile > Administration > Security > Single Sign On (SSO)
Use the following settings to configure Monday.com with XFA.
SSO Provider: Custom SAML 2.0
SAML SSO Url: (from XFA application)
Identity Provider Issuer: (from XFA application)
Public certificate: (from XFA application)
Enable Monday certificate: false
3. Test the configuration
Click on Test SSO connection to test the configuration. You should be redirected to your identity provider to login, after which your device security will be checked by XFA before coming back to Monday.com.
4. Configure the Login Restrictions Policy
Configure the Login Restrictions Policy to your liking. We recommend to start with Using SSO authentication is optional to test the configuration and then change it to All users except guests must use SSO authentication to enforce the use of SSO and make sure that only secure devices can access Monday.com.
5. Activate the configuration
Click on Activate SSO to activate the configuration. Your users will now be asked to verify their device security with XFA in addition to their identity before they can login to Monday.com.