You can choose to enforce SAML SSO for Ally with ADFS for added security. Once set up, users in your organization can use their managed ADFS account credentials to sign in to Ally via Single Sign-On (SSO). 

To connect your SSO to your instance of Ally, please follow the instructions listed here: Steps to setup SSO

After you have enabled SSO within Ally, the next step is to create an Ally App within your SSO:

  1. Open ADFS Management tool
  2. Expand Trust Relationships > Select Relying Party Trusts
  3. Right-click to Add Relying Party Trust
  4. On the Welcome page, click Start
  5. In the Select Data Source page, choose Enter data about the relying party manually
  6. Give a display name such as Ally App
  7. In the Choose Profile page, choose ADFS Profile, that mentions SAML 2.0
  8. In the Configure Certificate page, browse and select the certificate to be used for Assertion Encryption. Skip this if Assertion Encryption is disabled
  9. In the Configure URL page, select the checkbox pertaining to Enable Support for the SAML 2.0 Web SSO protocol
  10. Add the SAML consumer url (typically of the form, https://app.ally.io/saml/consume/<uuid> ) and click Next
  11. In the Configure Identifiers page, add the SAML consume URL and click Add, and proceed to the next page
  12. In the Configure MFA now? page, choose ‘I do not want to…’ and proceed
  13. In the Choose Issuance Authorization Rules page, choose ‘Permit all users…’ and proceed
  14. Review and complete the wizard to add the new Relying Party

Sending User attributes

The SAML user attributes can be set via Claim Rules in ADFS as shown below:

1. Email, First Name and Last Name: Add a Claim Rule of type ‘Send LDAP Attributes as Claims’ with the following as the attribute mapping:

2. Name ID: Add a Claim Rule of type ‘Transform an Incoming Claim’ with the following as the settings. This assumes that the Email address is the Name ID.

Download Federation Metadata:

You can get the federationmetadata.xml file from this link https://adfshelp.microsoft.com/MetadataExplorer/GetFederationMetadata or you can find your ADFS Federation Metadata file URL on the ADFS server through the ADFS Management in ADFS > Service > Endpoints and go to section Metadata.

It should look like this https://sts.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml If you can’t open metadata URL link in the Internet Explorer, try using another browser

Update the following fields in the Ally SSO Integration by copying them from federationmetadata.xml:

  • SAML 2.0 Endpoint URL: Location
  • Identity Provider Issuer URL: entityID
  • Public (X.509) Certificate: Copy the first X509Certificate value
Did this answer your question?