Skip to main content

How to secure

License requirements

To configure with XFA you need the Enterprise license that includes the SAML Single Sign On feature. You can find more information about the different licenses here. has a Custom SSO feature which uses SAMLv2 which can be used to chain XFA with your identity provider to check device security before allowing a user to login. This guide will describe all steps needed to link to your identity provider with XFA.

Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at

Configure in your identity provider

Use our specific identity provider guides to learn how to setup an application with the provided settings.

SAML Application Settings in IDP

Entity ID: https://<YOUR_MONDAY_DOMAIN>
ACS URL / Redirect URL:
Signed Response: false


The ACS URL / Redirect URL is different than the standard configuration

Creating an application in XFA

A guide on how to create an application in XFA can be found here.

Settings to use in XFA

Assertion Consumer Service URL: https://<YOUR_MONDAY_DOMAIN>
SSO URL: (provided by identity provider)
Entity ID: (provided by identity provider)
Certificate: (provided by identity provider)\

Configure with XFA

1. Login to

Navigate to your domain and login with your admin account.

2. Go to Profile > Administration > Security > Single Sign On (SSO)

Use the following settings to configure with XFA.

Settings to use in

SSO Provider: Custom SAML 2.0
SAML SSO Url: (from XFA application)
Identity Provider Issuer: (from XFA application)
Public certificate: (from XFA application)
Enable Monday certificate: false

3. Test the configuration

Click on Test SSO connection to test the configuration. You should be redirected to your identity provider to login, after which your device security will be checked by XFA before coming back to

4. Configure the Login Restrictions Policy

Configure the Login Restrictions Policy to your liking. We recommend to start with Using SSO authentication is optional to test the configuration and then change it to All users except guests must use SSO authentication to enforce the use of SSO and make sure that only secure devices can access

5. Activate the configuration

Click on Activate SSO to activate the configuration. Your users will now be asked to verify their device security with XFA in addition to their identity before they can login to