Ally.io offers a variety of different login methods to meet your security needs. Currently we support all generally available SAML identity providers including; Google, ADFS, Okta, OneLogin, Azure AD, etc. This process is simple and setup can be completed in a few short steps.

In this Article:

  • What is SAML?

  • Steps to setup SSO

  • SAML Enforcement

  • How SAML SSO connects to New Users

  • How SAML SSO connects to Existing Users

  • Managing Users with SSO

  • Other SAML Type?

What is SAML?

Definition: SAML stands for Security Assertion Markup Language and is used by businesses to pass authentication information between identity providers and service providers.

Definition: SSO stands for Single Sign-on and is used by companies to facilitate account management by using one set of credentials for multiple applications.

Steps to setup SSO

  1. Login to Ally.io using an Admin account

  2. Using the navigation bar on the left of the screen select “Admin” followed by “Integrations”

  3. Scroll to the “Authentication” section and select “Single Sign-On” and click “Enable”

After you have selected “Enable,” a new screen will appear with the information you need to create an Ally.io App in your Single Sign-on system. 

For more detailed information on creating an Ally.io App, check out our articles on the following SSO Applications:

  1. Google

  2. ADFS

  3. Okta

  4. One Login

  5. Azure Active Directory

  6. Jumpcloud

SAML Enforcement

For added security, SAML login can be enforced, meaning that users will have to login via your chosen SSO. You can enable this by selecting “Force your team to log in via your SSO provider” while configuring. If enforcement is enabled, all users (new and existing) have to login via SAML SSO.

How SAML SSO connects to New Users

If any of the existing users do not have an account with their identity provider, they will not be able to access their existing Ally.io account and a new account would be created when they login via SAML (the existing Ally.io user & OKRs will still stay in the system.)

When the email returned in the response does not match any existing users in Ally.io, we will provision new user accounts in your Ally.io Organization. You would then transfer ownership of their OKRs from the old non-SAML SSO user to the new SAML SSO provisioned user.

How SAML SSO connects to Existing Users

When the connection is configured, the SAML responses sent from your server will have the email address of the user logging in. If it matches an existing user in your organization, they will be automatically logged into their existing accounts with their existing OKRs.

Managing Users with SSO

When SSO is enabled for your organization, profile updates should be done in your identity provider. They will then flow into your Ally.io account. 

If you disable a user in your identity provider they will be unable to log into Ally.io with that account. If you need to remove them from the system completely, they need to be deleted in the Admin tools. This can be achieved by choosing Admin> Users> Actions> Delete.

Other SAML Type?

If you don't see your identity provider, you can still set up SAML single sign-on with the above steps.

FAQs:

Q. I’ve set up my SSO (single sign-on) configuration, but am unable to log in now. How do I fix this?
A. To unblock your access to Ally, please reach out to [email protected]. Do not enable the Force SSO option until you have tested the SAML SSO login for at least 2-3 users in your organization. Once tested, you can enforce SSO for all users in the organization.

Q. I have enabled SAML SSO for all users in my organization, however, when any new users who try to log in get redirected to sign up for a new trial instance.
A. Please check if the domain is added in the Signup Mode section under the Admin>Settings dashboard.
- If not, you can disable the Force SAML SSO option from the SSO configuration, and then add a new domain as seen in the below screenshot.
- Once the domain is added, the Force SSO option can be enabled again.

Graphical user interface, application, Teams

Description automatically generated

Q. What to do when there is an error message: ‘Sorry, we could not sign you in’?

Graphical user interface, application, Word

Description automatically generated

A. In order to identify the issue, please check the SSO configuration in Ally, whether the X509 certificate is valid. The certificate must be copied and pasted as it is – along with the Identity Provider Issuer URL.

Did this answer your question?