Home
Admin

Single sign-on (SSO)

SAML single sign-on (SSO) lets members of your Organization sign in with your corporate identity provider (IdP). Any user with an email address that matches your verified domain is redirected to your configured IdP to authenticate.

i
Information

You need an Enterprise plan to configure SAML SSO.

How SAML SSO works

How SAML SSO works

  1. A user enters an email address that matches a verified domain.
  2. Mistral redirects the user to your configured IdP.
  3. The IdP authenticates the user with your corporate credentials and policies.
  4. The user returns to Mistral signed in.
  5. On first sign-in, Mistral provisions the user account in your Organization.
i
Information

Organization SSO uses SAML 2.0. OpenID Connect (OIDC) is not supported for Organization SSO.

Prerequisites

Prerequisites

Before you configure SSO, make sure you have:

  • an Enterprise plan;
  • at least one verified domain;
  • permission to create a SAML 2.0 application in your IdP;
  • SAML metadata XML from your IdP.

You also need these attribute mappings:

AttributeValue
User's first namefirstName
User's last namelastName
Name ID formatEmailAddress
Configure SSO

Configure SSO

Start SSO setup in Admin

Start SSO setup in Admin

  1. Open Admin PanelAdministrationAccess in the Admin Panel.
  2. In Organization Access, find Single Sign-On (SAML SSO).
  3. Click Activate SSO.
  4. Keep the SSO configuration modal open while you configure your IdP.
Create the SAML app in your IdP

Create the SAML app in your IdP

  1. In your IdP admin console, create a SAML 2.0 application for Mistral.
  2. Copy the ACS URL and Entity ID from the Mistral modal into your IdP configuration.
  3. Map the user attributes from the prerequisites section.
  4. Export or copy the SAML metadata XML from your IdP.
Enable SSO in Admin

Enable SSO in Admin

  1. Paste the complete metadata XML into the text box in the Mistral SSO configuration modal.
  2. Click Enable SSO.

Users with email addresses matching your verified domain are redirected to your IdP for authentication.

What users experience

What users experience

  1. The user goes to the Mistral login page.
  2. The user enters their work email address.
  3. The password field disappears, and the user sees Continue with [Organization name].
  4. The user authenticates with their corporate credentials on the IdP login page.
  5. The user returns to Mistral signed in.
Supported identity providers

Supported identity providers

Any compliant SAML IdP can work. The most commonly used providers are:

  • Microsoft Entra ID (formerly Azure Active Directory)
  • Google Workspace / Google Identity Platform
  • Okta

Refer to your IdP's documentation for specific SAML application setup instructions.

Automatic seat assignment

Automatic seat assignment

You can automatically assign seats to users when they first sign in through SSO, if they have access to your Organization and seats are available.

Automatic seat assignment can apply to:

  • Team seats;
  • Mistral Code Enterprise seats.

Configure automatic seat assignment from Admin PanelAdministrationAccess.

Disable SSO

Disable SSO

You can disable SSO at any time from Admin PanelAdministrationAccess in the Admin Panel.

Warning

Disabling SSO means users can no longer sign in through your IdP. They need to set a password through the reset flow or be re-invited. Automatic user provisioning also stops. Consider enabling Email domain authentication before disabling SSO.

Troubleshooting

Troubleshooting

If SSO fails after configuration:

  • Verify that the ACS URL and Entity ID match exactly between Mistral and your IdP.
  • Confirm that attribute mappings are case-sensitive (firstName, lastName).
  • Check that Name ID Format is set to EmailAddress.
  • Make sure the metadata XML is complete and correctly pasted.
  • Contact support if issues persist.