This guide complements our existing SSO and SCIM help articles and is intended for businesses implementing one of the following configurations:
SSO only
SSO with SCIM provisioning
SSO with SCIM provisioning and Member Lite
It outlines the key configuration checks and attribute dependencies required to ensure a smooth rollout, correct user matching and to avoid common issues such as duplicate accounts.
Start by following the relevant setup guide for your chosen configuration.
Once the basic integration is in place, return to this guide to verify that the setup is complete, consistent and aligned with our best practices.
Configuration Type 1: SSO
If you're setting up SSO without SCIM, Mentimeter uses the email address in the SAML response to identify users when they log in for the first time. After that, NameID is used as the unique identifier.
Key requirements:
Email in the SAML response must match the user's existing Mentimeter account (if any).
NameID must be a persistent value (e.g. employeeID) that will never change.
Mismatched or ID-like emails can result in duplicate accounts if they don't match existing Menti users.
Best practice:
Confirm that the email in the SAML assertion follows your company’s standard format (e.g. firstname.lastname@company.com).
Ensure the NameID is stable and unchanging across the employee lifecycle.
Enforce Hard SSO only after verifying that all users have been correctly matched to their existing accounts.
Configuration Type 2: SSO with SCIM
When both SSO and SCIM are enabled, it's essential that attributes used for user identification are properly aligned across both systems to avoid duplicate accounts or sync failures.
Key requirements:
The userName in SCIM must match the Email sent in the SAML response from SSO. This ensures the same account is referenced across both systems and avoids duplicates.
The NameID (SSO) and externalId (SCIM) should both be persistent values (e.g. employee ID) that never change.
How the first sync works:
Whether the user is created via SSO or SCIM first, the system will work as long as email and ID attributes are properly configured. Here's how the logic works:
1. If user is created via SSO before the first SCIM provisioning
If a user logs in via SSO before being provisioned by SCIM:
→ Mentimeter checks if an existing account with the same email already exists.
→ If it does, that account is used and NameID is saved in Mentimeter’s database.
→ If not, a new account is created via SSO (Just-in-Time provisioning) and the NameID is saved for future reference.
Later, when SCIM syncs:
→ If the userName (email) in SCIM matches the SSO-created Email, the account will be linked and externalId assigned.
→ If it doesn’t match, a duplicate account is created.
2. User is created via SCIM before the first SSO authentication
If SCIM provisions the user first:
→ Mentimeter creates the account using the userName (email).
When the user logs in via SSO:
→ If the SSO Email in the SAML response matches the SCIM userName, the account is linked and the NameID is stored.
→ If not, a duplicate account is created.
Best practice:
Ensure attribute mapping is consistent across both SSO and SCIM, especially that the SSO email (in the SAML response) matches the SCIM userName.
Use a persistent NameID and externalId (e.g. employee ID) that will not change over time.
Before migrating users, verify that their existing Mentimeter email addresses match what will be sent via SSO and SCIM.
With correct configuration, it does not matter whether the user is created via SSO or SCIM - both paths will lead to the same account being linked.
Enforce Hard SSO only after confirming that setup is complete and user accounts are correctly matched.
Configuration Type 3: SSO with SCIM and Member Lite
The SSO and SCIM configuration for this setup follows the same attribute requirements as outlined in Configuration Type 2. Ensure the following:
The userName in SCIM must match the email sent via SSO (SAML).
The NameID (SSO) and externalId (SCIM) must be persistent and unchanging.
Manage role assignment via SCIM
Mentimeter uses the standard SCIM attribute userType to assign roles when SCIM provisioning is enabled alongside the Member Lite feature.
For full details on supported values and schema, refer to our API documentation.
Important setup notes:
The userType attribute is case-sensitive and must be set to one of the following:
admin
user
member_lite
In your Identity Provider (IdP), you should:
Create three distinct AD groups within your existing Mentimeter application in your AD, one for each role: admin, member and member_lite.
Map each AD group to the corresponding userType value in your SCIM configuration.
This ensures that users are automatically assigned the correct Mentimeter role based on their group membership during SCIM provisioning.
IdP-specific setup guides for userType configuration:
Once the technical configuration is complete
Migrating existing users
If your organisation already has users who have accessed Mentimeter, either as part of your workspace or as free users, it's important to align their email addresses with your SSO and SCIM configuration before enabling SSO or inviting them to the workspace.
Users already in your workspace:
Export a list of users from your Mentimeter workspace
Check that their email addresses match what will be sent via SAML (SSO) and SCIM
If not, consult with your Mentimeter contact to update incorrect emails
Free users outside your workspace:
Ask them to update their Mentimeter email to match the format used in your SSO setup
Once updated, you can safely invite them to the workspace
Enforce Hard SSO - Final step for all configurations
Once your configuration is verified and all users have been matched or synced correctly:
Reach out to your Mentimeter contact to enable Hard SSO.
This setting enforces SSO login for all users in the workspace.
Important: Only enable Hard SSO after confirming that all user emails and identifiers are aligned. Enabling it too early can result in locked-out users or the creation of duplicate accounts.