This document contains the most frequently asked questions related to SAML SSO and has the following sections.

SAML SSO

Q. I’ve set up my SSO (single sign-on) configuration, but am unable to log in now. How do I fix this?
A. To unblock your access to Ally, please reach out to [email protected]. Do not enable the Force SSO option until you have tested the SAML SSO login for at least 2-3 users in your organization. Once tested, you can enforce SSO for all users in the organization.

Q. I have enabled SAML SSO for all users in my organization, however, when any new users who try to log in get redirected to sign up for a new trial instance.
A. Please check if the domain is added in the Signup Mode section under the Admin>Settings dashboard.
- If not, you can disable the Force SAML SSO option from the SSO configuration, and then add a new domain as seen in the below screenshot.
- Once the domain is added, the Force SSO option can be enabled again.

Graphical user interface, application, Teams

Description automatically generated

Q. What to do when there is an error message: ‘Sorry, we could not sign you in’?

Graphical user interface, application, Word

Description automatically generated

A. In order to identify the issue, please check the SSO configuration in Ally, whether the X509 certificate is valid. The certificate must be copied and pasted as it is – along with the Identity Provider Issuer URL.

AZURE

Q. As soon as the user tries to log in, they are returned to the main screen and see the error ‘Sorry, we could not sign you in’

A. This will happen when Azure AD has denied access to the user. Please check with the sysadmin to resolve this issue from the Azure AD end.

Q. What to do when there is an error message: ‘Could not authenticate you from AzureOAuth2 because “Access Denied”?

Graphical user interface, application

Description automatically generated

A. Please check if the user has been invited to the organization. In a non-SAML enforced organization, accepting the invite is mandatory (for setting a password). Once the user accepts the invite from email, they would be able to access the account without any issues.


Q. What to do when there is an error message: ‘The change you wanted was rejected. Maybe you tried to change something you didn’t have access to.’?

Graphical user interface, application

Description automatically generated

A. Check if both first name and last name claims are given for the user in Azure AD. Username is mandatory when creating users via SAML and if it is not present, SAML login will fail. Please refer to point 7 in Azure setup Tutorial: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/ally-tutorial
This can be corrected in the claim & user profiles in Azure AD.

Q. What to do when there is an error message: ‘AADSTS650056: Misconfigured Application’?

A. Check if the Identifier URL was missing or incorrectly set up in the Azure AD setup. Ensure that the Issuer attribute in the SAML request matches the Identifier value configured in Azure AD. Please note that the identifier URL will contain the UUID as well.

Q. The email ID and the UPN (User Principal Name) are different for each user in Azure AD for my organization. How do I set this up correctly?

A. Ally.io application expects a few attributes to be passed back in SAML response that are pre-populated, but you can review them as per your requirements.

Name

Source Attribute

email 

user.userprincipalname 

firstName 

user.givenname 

lastName 

user.surname 

Instead of mapping the email to the attribute user.userprincipalname, you can map email to the attribute user.mail.


You can follow the steps below to add new claims or edit existing ones:

- In the Azure portal, navigate to Ally.io app > Set up SSO > SAML

- Edit the Attributes & Claims section

- Add a new Claim by entering the name, namespace URL, the source (as ‘Attribute’) and selecting the Source Attribute from the drop-down.
- Save the new Claim and utilize it to map the correct values in your setup as required.

Graphical user interface, text, application, email

Description automatically generated

Q. How can I synchronize the manager information from my Azure AD to Ally?

A. As of now, it is not possible to send the manager info from Azure AD to Ally since the claims for the manager attributes are not yet supported by Azure.

OKTA

Q. What to do when there is an error message: ‘Sorry, we could not sign you in’?

Graphical user interface, application, Word

Description automatically generated

A. In addition to the checks mentioned earlier in this document, check if the customer ID defined in the Okta setup is correct. If you are not sure of the customer ID, please reach out to [email protected] to get your customer ID.

Q. Why does the manager's information not get synchronized from Okta to Ally while provisioning new accounts?

A. Check the below options to ensure the manager information is getting synchronized:

  • Check the attribute name defined for passing the manager information – it should be the manager.nameId and its value should be the manager’s email.

  • Check that the below option to force SSO should be enabled. Manager attributes are set via SAML only when force_saml_sso_log_in is enabled.

    Graphical user interface, text, application

Description automatically generated

GOOGLE

Q. What to do when there is an error message: ‘Error: app_not_configured_for_user. Service is not configured for this user.’?

A. Check that the X509 certificate value is correctly entered in Ally. Only the value given for the X509 certificate should be copied and pasted, not the whole XML data.

ADFS


Q. What to do when there is an error message: ‘We’re sorry, but something went wrong’?

A. We expect a property called “email” in the SAML response, please ensure that it is mapped while setting up your configuration in ADFS.






Did this answer your question?