Skip to main content

Prerequisites

Before you begin, you’ll need:
  • Administrative access to your Microsoft Entra ID tenant (Azure portal)
  • The SSO configuration details from Ally Security (we’ll provide these after you request SSO setup)
  • The email domain(s) that should be enabled for SSO

Step 1: Create a New Enterprise Application in Microsoft Entra ID

  1. Navigate to the Microsoft Entra admin center and sign in with your admin account.
  2. In the left navigation menu, expand Identity and select Applications > Enterprise applications.
  3. Select + New application at the top of the page.
  4. Select + Create your own application.
  5. Enter a name for the application (e.g., “Ally Security”) and select Integrate any other application you don’t find in the gallery (Non-gallery).
  6. Select Create to create the application.

Step 2: Configure SAML-Based Single Sign-On

  1. After the application is created, you’ll be redirected to the application overview page.
  2. In the left navigation menu, select Single sign-on.
  3. Select SAML as the single sign-on method.
  4. In the Basic SAML Configuration section, select Edit.
  5. Configure the following settings using the information provided by Ally Security: Identifier (Entity ID)
    • Enter the Entity ID provided by Ally Security
    Reply URL (Assertion Consumer Service URL)
    • Enter the ACS URL provided by Ally Security
  6. Select Save to save the configuration.

Step 3: Configure Attribute Mappings

Ally Security requires specific attributes in the SAML response. Configure the following attribute claims:
  1. In the Attributes & Claims section, select Edit.
  2. You may need to modify the existing claims or add new ones. Configure the following: Email address (required)
    • Select Add new claim or edit the existing email claim
    • Name: mail
    • Source attribute: Select user.mail from the dropdown
    First name (optional)
    • Select Add new claim
    • Name: firstName
    • Source attribute: Select user.givenname from the dropdown
    Last name (optional)
    • Select Add new claim
    • Name: lastName
    • Source attribute: Select user.surname from the dropdown
  3. Select Save after configuring each claim.
Ensure that the attribute names (mail, firstName, lastName) are entered exactly as shown, as they are case-sensitive.

Step 4: Assign Users or Groups

Before users can sign in using SSO, you need to assign them to the enterprise application:
  1. In the left navigation menu, select Users and groups.
  2. Select + Add user/group at the top.
  3. Under Users, select None Selected and search for the users or groups you want to assign.
  4. Select the users or groups, then select Select.
  5. Select Assign to complete the assignment.
Assigning a group is recommended for easier management. All members of the assigned group will be able to sign in via SSO.

Step 5: Download or Copy the Federation Metadata

After completing the SAML configuration, you’ll need to provide Ally Security with your federation metadata:
  1. Navigate back to the Single sign-on page for your application.
  2. In the SAML Certificates section, locate App Federation Metadata Url.
  3. Copy this URL to share with Ally Security.
Alternatively, you can download the Federation Metadata XML file:
  1. In the same SAML Certificates section, select Download next to Federation Metadata XML.
  2. Share this file with your Ally Security contact.

What to Provide to Ally Security

To complete the SSO setup, please provide the following information:
  1. Federation Metadata URL or Federation Metadata XML file: From the SAML Certificates section (as described in Step 5)
  2. Email domain: The email domain(s) that should be enabled for SSO (e.g., @yourcompany.com)
  3. Test user email (optional): An email address of a test user that can be used to verify the SSO configuration

After Setup Is Complete

Once Ally Security has configured SSO on our end:
  • All users with email addresses ending in your configured domain will be redirected to Microsoft Entra ID for authentication
  • Users will sign in using their Microsoft credentials
  • Existing users with matching email domains will need to use SSO to sign in
If there are existing users with email domains that match the SSO configuration, they will be required to use SSO to sign in once it’s enabled. Make sure to communicate this change to your team members.

Troubleshooting

If you encounter issues during setup:
  • Verify attribute mappings: Ensure that the attribute names (mail, firstName, lastName) match exactly as specified and are mapped to the correct source attributes
  • Check user assignments: Confirm that users or groups have been assigned to the enterprise application
  • Verify domain configuration: Ensure the email domain matches what was provided to Ally Security
  • Check SAML configuration: Verify that the Entity ID and Reply URL match exactly what was provided by Ally Security
  • Review sign-in logs: In Microsoft Entra ID, navigate to Identity > Monitoring & health > Sign-in logs to review any authentication errors
  • Contact support: Reach out to Ally Security support if you need assistance with the configuration