Go to Ally
All Collections
Security and Compliance
ADFS SAML SSO Setup

ADFS SAML SSO Setup

Enforce Single Sign-on for Ally.io with ADFS
Reed David avatar
Written by Reed David. Updated over a week ago

You can choose to enforce SAML SSO for Ally.io with ADFS for added security. Once set up, users in your organization can use their managed ADFS account credentials to sign in to Ally.io via Single Sign-On (SSO.)

In this Article:

  • Connect SSO to Ally.io

  • Create an Ally.io App

  • Sending User attributes

  • Download Federation Metadata:

Connect SSO to Ally.io

To connect your SSO to your instance of Ally.io, please follow the instructions listed here: Steps to setup SSO

Create an Ally.io App

After you have enabled SSO within Ally.io, the next step is to create an Ally.io App within your SSO:

  1. Open ADFS Management tool

  2. Expand Trust Relationships > Select Relying Party Trusts

  3. Right-click to Add Relying Party Trust

  4. On the Welcome page, click Start

  5. In the Select Data Source page, choose Enter data about the relying party manually

  6. Give a display name such as Ally.io App

  7. In the Choose Profile page, choose ADFS Profile, which mentions SAML 2.0

  8. In the Configure Certificate page, browse and select the certificate to be used for Assertion Encryption. Skip this if Assertion Encryption is disabled

  9. In the Configure URL page, select the checkbox pertaining to Enable Support for the SAML 2.0 Web SSO protocol

  10. Add the SAML consumer url (typically of the form, https://app.ally.io/saml/consume/<uuid> ) and click Next

  11. In the Configure Identifiers page, add the SAML consume URL and click Add, and proceed to the next page

  12. In the Configure MFA now? page, choose ‘I do not want to…’ and proceed

  13. In the Choose Issuance Authorization Rules page, choose ‘Permit all users…’ and proceed

  14. Review and complete the wizard to add the new Relying Party

Sending User attributes

The SAML user attributes can be set via Claim Rules in ADFS as shown below:

1. Email, First Name and Last Name: Add a Claim Rule of type ‘Send LDAP Attributes as Claims’ with the following as the attribute mapping:

2. Name ID: Add a Claim Rule of type ‘Transform an Incoming Claim’ with the following as the settings. This assumes that the Email address is the Name ID.

Download Federation Metadata:

You can get the federationmetadata.xml file from this link https://adfshelp.microsoft.com/MetadataExplorer/GetFederationMetadata or you can find your ADFS Federation Metadata file URL on the ADFS server through the ADFS Management in ADFS > Service > Endpoints and go to section Metadata.

It should look like this https://sts.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml If you can’t open the metadata URL link in the Internet Explorer, try using another browser

Update the following fields in the Ally.io SSO Integration by copying them from federationmetadata.xml:

  • SAML 2.0 Endpoint URL: Location

  • Identity Provider Issuer URL: entityID

  • Public (X.509) Certificate: Copy the first X509Certificate value

FAQs:

Q. What to do when there is an error message: ‘We’re sorry, but something went wrong’?

A. We expect a property called “email” in the SAML response, please ensure that it is mapped while setting up your configuration in ADFS.

Did this answer your question?