Guides

Generic SAML 2.0

Suggest Edits

Alloy supports the SAML SSO with Okta and Azure Entra ID. It's SAML 2.0. So, with any other identity provider, the user can try to integrate.

Prerequisites

Minimum requirements for identity providers:

  • The IdP must conform to SAML 2.0.
  • The IdP must provide a Single sign-on URL, an Entity ID, a Signing certificate, and a Metadata.xml.
  • The Idp must be able to configure the attribute mapping between the Idp and sp
  • The IdP must include the signing public key in the SAML response.

1. Access to Authentication Settings at Alloy

1.1 Granting Access to the SAML Self-Serve Setup

The agent must either have Admin access or be granted access to a role with the following permissions below via “Roles” to “Authentication Settings”

1.2 Configuring a Default Role

Before you can use SAML, you MUST configure a default role for your users in the Alloy settings. This role will determine the permissions that your user has when they first log in.

The first time a user logs in using SAML SSO, they will be added to the Alloy system as an "Agent", and will be given this default role. Agents with Admin permission can then go in and assign them a different role, if they need additional privileges.

  1. Be sure that you have Admin permission in Alloy, and log in to your dashboard.

  2. Navigate to Settings in the sidebar, and then select Roles from the list.

  3. On the Roles page, you should see a list of roles. By default these include "Admin" and "User," but your organization may have configured different ones.

  4. Select the role that you want to designate as the default for new SAML users. Click the icon with a pencil to edit the role. (You could also create a new role first, by filling out the form at the top and clicking "Save.")

  5. Check the box labeled "Designate this role as the organizational default for new users," and apply your changes by clicking "Save."

  6. You have now set a default user role for your org, and are ready to use SAML! Notice the addition of the "Default Role" label that will tell you your default role, when you return to this page in the future.


1.3 Setting up SAML

Once your access has been configured, go to “Authentication”

Then, select “Enable SAML Authentication”

Select My Idp is not listed here and click Continue.

Take note of the SSO URL and Audience URI.

2. Add Alloy to your identity provider

2.1 Create an application in your identity provider

Most identity providers allow users to create an Application

The typical setup requirements are:

  1. Create a new integration in the identity provider with the type set as SAML 2.0.
  2. Configure the SSO URL and Audience URI from step 1.3

2.2 Update the attribute mapping

It is critical to configure the Identity Provider to map the user's email address, first name, last name, and phone number to attributes with these exact names (case sensitive):

(Please note: the Value field may vary depending on the Identity Provider. Those shown below are sample values using Okta as a reference.)

  • Email: User's email address - in Okta: user.email
  • firstName: User's first name - in Okta: user.firstName
  • lastName: User's last name - in Okta: user.lastName
  • phone: User's phone number - in Okta: user.mobilePhone (optional)

2.3 Download the Idp metadata

Once you have completed all the SAML fields and created an integration for Alloy, you will need to extract the Identity Provider Metadata XML document which has the configured SAML fields so that we can securely verify login requests coming from your identity provider.

3. Upload the Idp metadata to Alloy

Upload it on step 3 of Set up SAML.


4. Test the Single sign-on

4.1 Assign the user to the app.

4.2 Test SSO with the user that is assigned to the App.

login the test user to the Idp application dashboard. they should be able to see the Alloy App, try to click it to sign in.

5. Other Authentication Settings

Screenshot 2024-04-16 at 4.18.49 PM.png
  • G Suite Domain - If you’d like to give your users the ability to login via google SSO, you can enter the G Suite Domain they should be using.
  • Google Signin Required - This will force users to log in via Google SSO.
  • Multi-Factor Authentication Required - If your organization does not have SAML enabled, you can require that each user log in using MFA.
  • Enforce Single Sign-On - If SAML is enabled, all users will be forced to log in with SSO. If disabled, users will be able to log in via SSO or credentials.

5.1. SAML Exceptions

Screenshot 2024-04-16 at 4.23.19 PM.png

If you’d like to grant users the ability to log in via credentials when Enforce Single Sign-On is on, you can configure this via the “SAML Exceptions” section

6. How to Configure SCIM

Note: SCIM is only supported for clients who currently use Okta and Microsoft Entra

Once you’ve successfully set up SAML, you can configure SCIM.

Updated 5 months ago