This guide is for universities and institutions with campus-wide workspaces preparing to implement Single Sign-On (SSO) and optionally SCIM (System for Cross-domain Identity Management) with Mentimeter.
It should be used alongside Mentimeter’s general setup guides to ensure your configuration is adapted to campus-wide needs, helping you onboard users correctly and avoid common issues such as duplicate accounts.
Already live with SSO and SCIM and seeing duplicate accounts or email format mismatches? Skip to the Migrating Existing Users and Duplicate Account Cleanup sections below.
It outlines:
How to set up SSO and SCIM correctly
How to onboard new users
How to migrate existing users
Why matching email formats is essential to avoid duplicate accounts
General Setup Resources
Before you begin, make sure your IT team has access to these general setup articles:
Setting Up SSO
To enable SSO in Mentimeter:
Follow our SSO setup guide
Make sure the email address (in the SAML response) uses the same format as your users' existing Mentimeter accounts (e.g. firstname.lastname@example.com)
Use a persistent NameID (e.g. employeeID or another unchanging unique identifier)
Important: Mentimeter matches users based on the email address the first time they log in via SSO. If the email shared in the SAML response uses a different format than what’s already used in your Mentimeter workspace, it may result in duplicate accounts being created.
To prevent this, make sure the email attribute configured in your IdP follows the same format as existing user emails in Mentimeter. This is especially important if you're onboarding users who have previously accessed Mentimeter or if you plan to use SCIM for syncing.
Setting Up SCIM (Optional)
If your organization uses SCIM, follow these configuration guides:
Note: Before setting up SCIM, your organisation must have at least one verified domain in your Mentimeter workspace. Domain verification is required for SCIM to provision users correctly. Learn how to verify your domains here.
Best Practices for Campus-Wide Setups:
For campus-wide setups, it's common that all university members are included in an open AD group connected to Mentimeter. This means that anyone at the university technically has access.
To avoid unnecessary account creation for users who may never actively use Mentimeter, we recommend the following setup:
Disable SCIM “Create” in your IdP
Use SSO (Just-in-Time provisioning) to create user accounts only when someone actively logs in
Use SCIM only for updating, suspending and deleting users
This approach helps keep your workspace clean and ensures that only active users are added, maintaining accurate user counts and avoiding clutter from inactive accounts.
Attribute Mapping (SSO & SCIM)
Ensure the attributes used in your IdP are consistent and properly mapped:
Purpose | Attribute | Example (can vary by IdP) |
SSO Email | UserPrincipalName (UPN) | firstname.lastname@example.com (example only) |
SSO NameID | employeeID (or similar persistent ID) | 123456 |
SCIM userName | UserPrincipalName (UPN) | |
SCIM externalId | employeeID | 123456 |
The SSO Email (SAML) and SCIM userName must come from the same source and use the same format for proper account linking.
Onboarding New Users
New users are created through the following flow:
The user is assigned to the Mentimeter app in your IdP (by default in open AD groups)
The user logs in using SSO
Mentimeter checks the email in the SAML response
If the email format matches what’s expected, the user is created via SSO (Just-in-Time provisioning)
If SCIM is used:
SCIM syncs and links the account if the SCIM userName (email) matches the email from SSO
Sync complete!
Migrating Existing Users
If you already have users who previously accessed Mentimeter, whether they are part of your current workspace or free users outside it, it's important to align their email format before enabling SSO and SCIM, or before migrating them to your workspace under SSO.
This is also something that can be fixed after SSO and SCIM are already live. If you're past the setup stage and your users have mismatched email formats, follow the steps below.
Export a list of existing users from your Mentimeter workspace
Check that their email addresses match the format your IdP will send in the SAML response
For free users outside the workspace, ensure their Mentimeter email is updated before inviting them (users can update their own email address)
If you need email addresses updated in bulk, contact your Mentimeter contact and provide a table with two columns: the user's current email in Mentimeter and the correct email it should be updated to. Let your Mentimeter contact know whether you want accounts outside the workspace updated as well.
Once email formats are aligned, users will be matched correctly when they log in via SSO for the first time
After that, SCIM can handle ongoing updates, suspensions and deletions
Duplicate Account Cleanup
If SSO was enabled before existing user emails were aligned, some users may have ended up with two Mentimeter accounts: their original account and a new one created when they first logged in via SSO.
This is a common outcome and can be resolved. To do so, contact your Mentimeter contact and provide a list of affected users with the following information:
Old account email (to retire) | Active account email (to keep) |
For each pair, Mentimeter will update the old account's email to mark it as retired and clear its SSO settings so it no longer interferes with the active account.
Make sure the customer has confirmed this list is complete and accurate before submitting it, as changes to account emails cannot easily be undone.
Final step: Enforce Hard SSO
Once all existing users have been migrated and their email addresses have been updated to match your SSO setup, you can reach out to your Mentimeter Sales contact to enable Hard SSO.
This setting enforces SSO login for all users in the workspace.
Important: Only enable Hard SSO after confirming that all user emails are aligned and any duplicate account cleanup has been completed with your Mentimeter contact. Activating it too early may result in users being locked out or additional duplicate accounts being created.
Key Takeaways
The email address used in both SSO and SCIM must match the format of existing user accounts in Mentimeter. If they don't match, this can be corrected after the fact by coordinating a bulk email update with your Mentimeter contact.
Use persistent values for NameID and externalId (e.g. employeeID)
Disable SCIM “Create” for large campus-wide rollouts to avoid unnecessary user accounts
Contact Mentimeter if you need assistance with migrating or bulk updating user emails
Enable Hard SSO as the final step (your Mentimeter contact will be able to enable this for you)