ACCESS > SAML and Azure Active Directory Single Sign On (SSO)
Note - in this article - there's some steps that can only be done by Tallyfy Support on our back-end. They're included here for full transparency.
In order to integrate Azure AD SAML/SSO with your Tallyfy organization, you will need to:
- Set up and configure an Azure AD app with SAML support.
- Use the Azure AD app's settings to configure SAML on Tallyfy - which is done by Tallyfy's team
- Enable SAML for your organization on Tallyfy, to start SSO authorization and user provisioning.
Set up your custom Azure AD SAML application for your Tallyfy organization
Preparing the new application
Sign in using an account with Administrator privileges.
Go to the Azure Active Directory service.
Select Enterprise Applications under Manage navigation menu item.
Click +New application.
Click Create your own application.
- Add a name for your app, and select Integrate any other application you don't find in the gallery (Non-gallery) option.
We are separately in the process of being listed by default in the gallery.
You can add/assign users to this application:
Configure SAML settings
- On the sidebar, below Manage click Single sign-on then select SAML:
- On the Basic SAML Configuration section, click Edit:
- In the Basic SAML Configuration window, we will need to fill the fields Reply URL (ACS URL), Entity ID for your custom app.
These values are all provided by Tallyfy:
We will need to get the default SAML values from our organization in Tallyfy:
- Select your Organization's profile from the Support page.
- Scroll to Org Settings tab:
- Click on Add Configuration Details: Ignore the empty fields for now and scroll down to the existing default values.
- Now, we will fill the SAML settings in our Azure AD app (the Basic SAML Configuration window), using those values:
Reply URL (Assertion Consumer Service URL): In this field, copy the value from SP ACS URL (Single Sign On URL). (number 1 in the screenshot above)
Identifier (Entity ID): copy the value from SP Entity ID (Audience URI). (number 2 in the screenshot above)
Add the necessary attributes names that Tallyfy needs
- On the User Attributes & Claims section, click Edit on each field to change the names of the attributes
This part is important, so each attribute should be filled correctly respecting the empty fields and upper/lower cases
- First, we will update the user identifier, Click on the Unique User Identifier (Name ID) row:
- Then select
Persistentfor Name identifier format, and
user.mailfor Source attribute, then click Save:
- Move to the next attribute/row, for example click on user.givenname to edit it:
- Change Name to FirstName.
- Namespace should be empty, so remove its default value.
- The Source attribute should be
- Do the same for the other attributes/rows
LastName. The resulting page after saving them should look like the screenshot below:
Configure SAML on Tallyfy
- Since you have an application ready - we will get the SAML data needed to configure SAML on Tallyfy.
On the 4- Set up
Your app name section, get the setup information needed by Tallyfy:
- Copy the Login URL and Azure AD Identifier and download the Certificate (Base64) from the 3- SAML Signing Certificate section:
We will use the values in the above page as SAML configs to integrate this app to our Tallyfy organization.
- Go back to our Tallyfy Support page where the SAML configs modal is still open (this is done by Tallyfy staff) - then we fill the values respectively, as shown in the screenshot below:
- After successfully saving the configs, you will need to enable SAML in this organization.
- Click on the toggle button next to Add Configuration Details:
Congratulations, now Single Sign-on and User Provisioning using Azure AD should be working successfully for your organization members!
How to provision new members to Tallyfy using SSO
Go back to the Tallyfy Support page and open the SAML configs modal, copy the Tallyfy login URL and share it with your users who have access to the Azure AD SAML app. Note - Tallyfy Staff will provide this to you (the client).
Members or never-seen-before members can use this link to access Tallyfy. Existing users will just login, while new users will be added to your Tallyfy organization.