This guide is for universities and institutions with campus-wide workspaces preparing to implement Single Sign-On (SSO) and optionally SCIM (System for Cross-domain Identity Management) with Mentimeter.
It should be used alongside Mentimeter’s general setup guides to ensure your configuration is adapted to campus-wide needs, helping you onboard users correctly and avoid common issues such as duplicate accounts.
It outlines:
How to set up SSO and SCIM correctly
How to onboard new users
How to migrate existing users
Why matching email formats is essential to avoid duplicate accounts
General Setup Resources
Before you begin, make sure your IT team has access to these general setup articles:
Setting Up SSO
To enable SSO in Mentimeter:
Follow our SSO setup guide
Make sure the email address (in the SAML response) uses the same format as your users' existing Mentimeter accounts (e.g. firstname.lastname@example.com)
Use a persistent NameID (e.g. employeeID or another unchanging unique identifier)
Important: Mentimeter matches users based on the email address the first time they log in via SSO. If the email shared in the SAML response uses a different format than what’s already used in your Mentimeter workspace, it may result in duplicate accounts being created.
To prevent this, make sure the email attribute configured in your IdP follows the same format as existing user emails in Mentimeter. This is especially important if you're onboarding users who have previously accessed Mentimeter or if you plan to use SCIM for syncing.
Setting Up SCIM (Optional)
If your organization uses SCIM, follow these configuration guides:
Best Practices for Campus-Wide Setups:
For campus-wide setups, it's common that all university members are included in an open AD group connected to Mentimeter. This means that anyone at the university technically has access.
To avoid unnecessary account creation for users who may never actively use Mentimeter, we recommend the following setup:
Disable SCIM “Create” in your IdP
Use SSO (Just-in-Time provisioning) to create user accounts only when someone actively logs in
Use SCIM only for updating, suspending and deleting users
This approach helps keep your workspace clean and ensures that only active users are added, maintaining accurate user counts and avoiding clutter from inactive accounts.
Attribute Mapping (SSO & SCIM)
Ensure the attributes used in your IdP are consistent and properly mapped:
Purpose | Attribute | Example (can vary by IdP) |
SSO Email | UserPrincipalName (UPN) | firstname.lastname@example.com (example only) |
SSO NameID | employeeID (or similar persistent ID) | 123456 |
SCIM userName | UserPrincipalName (UPN) | |
SCIM externalId | employeeID | 123456 |
The SSO Email (SAML) and SCIM userName must come from the same source and use the same format for proper account linking.
Onboarding New Users
New users are created through the following flow:
The user is assigned to the Mentimeter app in your IdP (by default in open AD groups)
The user logs in using SSO
Mentimeter checks the email in the SAML response
If the email format matches what’s expected, the user is created via SSO (Just-in-Time provisioning)
If SCIM is used:
SCIM syncs and links the account if the SCIM userName (email) matches the email from SSO
Sync complete
Migrating Existing Users
If you already have users who previously accessed Mentimeter, whether they are part of your current workspace or free users outside it, it’s important to align their email format before enabling SSO and SCIM, or before migrating them to your workspace under SSO.
Export a list of existing users from your Mentimeter workspace
Check that their email addresses match the format your IdP will send in the SAML response
For free users outside the workspace, ensure their Mentimeter email is updated before inviting them (users can update their own email address)
Coordinate with your Mentimeter contact to update email addresses in bulk if needed
Once email formats are aligned, users will be matched correctly when they log in via SSO for the first time
After that, SCIM can handle ongoing updates, suspensions and deletions
This step ensures a smooth transition and prevents duplicate accounts during the migration to SSO and SCIM.
Final step: Enforce Hard SSO
Once all existing users have been migrated and their email addresses have been updated to match your SSO setup, you can reach out to your Mentimeter Sales contact to enable Hard SSO.
This setting enforces SSO login for all users in the workspace.
Important: Only enable Hard SSO after confirming that all user emails are aligned - activating it too early may result in duplicate accounts.
Key Takeaways
The email address used in both SSO and SCIM must match the format of existing user accounts in Mentimeter
Alternatively, existing users should update their email addresses to match the format sent by your IdP
Use persistent values for NameID and externalId (e.g. employeeID)
Disable SCIM “Create” for large campus-wide rollouts to avoid unnecessary user accounts
Contact Mentimeter if you need assistance with migrating or bulk updating user emails
Enable Hard SSO as the final step