Skip to main content
All CollectionsTeams and EnterprisesFor Admins
How to Set Up SSO & SCIM for Universities and Campus-Wide Workspaces
How to Set Up SSO & SCIM for Universities and Campus-Wide Workspaces

Learn how to correctly set up SSO and SCIM for your campus-wide workspace.

Updated this week

This guide is for universities and institutions with campus-wide workspaces preparing to implement Single Sign-On (SSO) and optionally SCIM (System for Cross-domain Identity Management) with Mentimeter.

It should be used alongside Mentimeter’s general setup guides to ensure your configuration is adapted to campus-wide needs, helping you onboard users correctly and avoid common issues such as duplicate accounts.

It outlines:

  • How to set up SSO and SCIM correctly

  • How to onboard new users

  • How to migrate existing users

  • Why matching email formats is essential to avoid duplicate accounts

General Setup Resources

Before you begin, make sure your IT team has access to these general setup articles:

Setting Up SSO

To enable SSO in Mentimeter:

  1. Follow our SSO setup guide

  2. Make sure the email address (in the SAML response) uses the same format as your users' existing Mentimeter accounts (e.g. firstname.lastname@example.com)

  3. Use a persistent NameID (e.g. employeeID or another unchanging unique identifier)

Important: Mentimeter matches users based on the email address the first time they log in via SSO. If the email shared in the SAML response uses a different format than what’s already used in your Mentimeter workspace, it may result in duplicate accounts being created.

To prevent this, make sure the email attribute configured in your IdP follows the same format as existing user emails in Mentimeter. This is especially important if you're onboarding users who have previously accessed Mentimeter or if you plan to use SCIM for syncing.

Setting Up SCIM (Optional)

If your organization uses SCIM, follow these configuration guides:

Best Practices for Campus-Wide Setups:

For campus-wide setups, it's common that all university members are included in an open AD group connected to Mentimeter. This means that anyone at the university technically has access.

To avoid unnecessary account creation for users who may never actively use Mentimeter, we recommend the following setup:

  • Disable SCIM “Create” in your IdP

  • Use SSO (Just-in-Time provisioning) to create user accounts only when someone actively logs in

  • Use SCIM only for updating, suspending and deleting users

This approach helps keep your workspace clean and ensures that only active users are added, maintaining accurate user counts and avoiding clutter from inactive accounts.

Attribute Mapping (SSO & SCIM)

Ensure the attributes used in your IdP are consistent and properly mapped:

Purpose

Attribute

Example (can vary by IdP)

SSO Email

UserPrincipalName (UPN)

firstname.lastname@example.com (example only)

SSO NameID

employeeID (or similar persistent ID)

123456

SCIM userName

UserPrincipalName (UPN)

firstname.lastname@example.com

SCIM externalId

employeeID

123456

The SSO Email (SAML) and SCIM userName must come from the same source and use the same format for proper account linking.

Onboarding New Users

New users are created through the following flow:

  1. The user is assigned to the Mentimeter app in your IdP (by default in open AD groups)

  2. The user logs in using SSO

  3. Mentimeter checks the email in the SAML response

  4. If the email format matches what’s expected, the user is created via SSO (Just-in-Time provisioning)

If SCIM is used:

  1. SCIM syncs and links the account if the SCIM userName (email) matches the email from SSO

Sync complete

Migrating Existing Users

If you already have users who previously accessed Mentimeter, whether they are part of your current workspace or free users outside it, it’s important to align their email format before enabling SSO and SCIM, or before migrating them to your workspace under SSO.

  1. Export a list of existing users from your Mentimeter workspace

  2. Check that their email addresses match the format your IdP will send in the SAML response

  3. For free users outside the workspace, ensure their Mentimeter email is updated before inviting them (users can update their own email address)

  4. Coordinate with your Mentimeter contact to update email addresses in bulk if needed

  5. Once email formats are aligned, users will be matched correctly when they log in via SSO for the first time

  6. After that, SCIM can handle ongoing updates, suspensions and deletions

This step ensures a smooth transition and prevents duplicate accounts during the migration to SSO and SCIM.

Final step: Enforce Hard SSO

Once all existing users have been migrated and their email addresses have been updated to match your SSO setup, you can reach out to your Mentimeter Sales contact to enable Hard SSO.

This setting enforces SSO login for all users in the workspace.

Important: Only enable Hard SSO after confirming that all user emails are aligned - activating it too early may result in duplicate accounts.

Key Takeaways

  • The email address used in both SSO and SCIM must match the format of existing user accounts in Mentimeter

    • Alternatively, existing users should update their email addresses to match the format sent by your IdP

  • Use persistent values for NameID and externalId (e.g. employeeID)

  • Disable SCIM “Create” for large campus-wide rollouts to avoid unnecessary user accounts

  • Contact Mentimeter if you need assistance with migrating or bulk updating user emails

  • Enable Hard SSO as the final step

Related Articles
How to set up Single Sign-On (SSO) (Enterprise plans only)
Single Sign-On (SSO) for Admins (Enterprise plans only)
SSO Configuration in OKTA (Enterprise plans only)
SCIM Configuration in Entra ID
SCIM Configuration with OKTA
Did this answer your question?