SAML SSO authentication (Google version)

Alli allows you to integrate a SAML app to configure SSO (Single Sign-On) authentication. This lets you restrict access to Alli Works and the dashboard for a specific project so that only members who have completed SSO authentication can access them according to their permissions.

✅ What is SAML SSO?

SAML is an XML-based framework for web-browser-based authentication and authorization that enables users to log in once and be automatically signed in to multiple services. It is an authentication standard used by many companies today, and Alli supports SSO integration based on this standard.

✅ Supported IdPs

• Google

• Microsoft Entra

• Okta

• Any IdP that complies with the SAML specification

This guide explains using Google as the example.

Create a Google SAML App

1. Sign in to the Google Admin Console

• Google Admin ConsoleAccess it.

2. Add a SAML app

• Go to Web and mobile apps > Add app > Add custom SAML app.

• Enter theapp name and proceed.

Check SSO information

• Check the SSO URL, Entity ID, and certificate information.

• These values will be needed later when entering them into Alli, so save them separately or use Download metadatato view them later.

Integrate the SAML app in the Alli dashboard

• Go to Dashboard > Settings > Integrations > SAML SSO tab and click the +Add SAML app button.

Copy the ACS URL and Entity ID

• Copy the generated values and paste them into the Google SAML app settings screen.

• Name IDis a unique key value used to identify a user. Alli distinguishes users based on their email address, so when configuring the SAML app you must set the Name ID to Primary Email.

• Skip the attribute settings screen and click Finish to complete the app.

• A new SSO app has been created on the IdP. Please assign the members (users and groups) who will belong to that app.

Register the SAML app in Alli

1. Set the app name and slug

• Enter the : It is recommended to set them the same as the Google SAML app to make identification easier.

• App slug : This is the unique code members enter whenever they log into the project (e.g.,password)

  • App slugs may only contain lowercase letters, numbers, and hyphens.

2. Enter the required information

• Login URL (copy and paste the contents from Alli Dashboard > Settings > Integrations > SAML SSO tab)

• Identifier (Entity ID) (copy and paste the contents from Alli Dashboard > Settings > Integrations > SAML SSO tab)

• Certificate (copy and paste the contents from Alli Dashboard > Settings > Integrations > SAML SSO tab)

→ After configuring the Google SAML app, you can confirm the above information by using 'Download metadata'.

Download metadata

• After entering all items, click the Save button to easily add the SAML SSO app to your Alli project.

SSO user attribute mapping (Google version)

Distinguishing user attribute mapping vs group attribute mapping

When mapping attributes between a SAML app and Alli, 'user attributes' that are assigned 1:1 to individual users and 'group attributes' that apply to multiple users belonging to a group differ in how they are configured and applied.

• User attribute mapping is a method where information independently assigned to each user—such as name, phone number, department—is received by Alli as variables and used. In this case department values such as are mapped 1:1 to Alli's GROUP variable so that Alli groups can be configured based on individual user attributes.

• Group attribute mapping is a method that, based on pre-defined group units within the app (e.g., Product_team, Engineer_team, etc.), connects multiple users belonging to that group collectively to Alli groups.

For example, department If you map a field to a user variable, the department value set in each user's attribute will be set as that user's Alli group. On the other hand, if users are grouped within the app and that group information is delivered via group fields, the group-level information will be used to configure Alli groups.

Please accurately distinguish between user attributes and group attributes and proceed with mapping according to the configuration purpose.

Detailed attribute mapping settings (Attribute Mapping)

Here we will explain how to configure attribute mapping between Alli and the Google directory within a SAML app.

Basics

• EAML is mapped automatically, so no separate configuration is required.

• Alli supports the following user scope variables:

  • FIRST_NAME

  • LAST_NAME

  • GROUP

  • Common variables such as PHONE_NUM

• The following variables are not supported.

  • FILE

  • CATEGORY

  • DOCUMENTS

  • SNIPPETS

User variable mapping

1. In Web & Mobile Apps > Apps integrated with Alli > SAML Attribute Mapping, click the [Add Mapping] button.

2. In the Google Directory Attributes tab, select the field you want to map that is assigned to each user.

3. Enter Alli's variable name in the app attribute field to complete the mapping.

Each user variable name in Alli can be found in the Alli dashboard > Settings > Variables tab.

User group mapping (when only the unit of users rather than groups is used within that SSO)

1. Click the [Add Mapping] button just like with other variables.

2. In the Google Directory Attributes tab, select the user field corresponding to the group; in Alli it is handled as the variable departmentis GROUPso you must enter GROUPin the Name of Attribute Statements.

• This SAML app has a total of three departments, and within the SSO app each user's department information is specified in the Department field.

  • Engineering Division

  • Product Team

  • Sales Team

• Note that the above department information must also be registered identically in Alli for group mapping to be possible.

Group creation and permission assignment

1. Go to Alli Dashboard > Settings > Members > Groups tab.

2. Create each group (Engineering Division, Product Team, Sales Team).

3. Assign the necessary permissions to each group.

As shown below, users who log in through the integrated SAML app will have each mapped variable automatically assigned, and details can be checked in the 'Users' or 'Conversations' tab.

Group mapping (when users are natively grouped by group attributes within the app, or when a user belongs to multiple groups)

• This SAML app contains a total of two groups that each bundle individual users, and users are assigned to each group.

• However, some users are Product_team, Engineer_teamalso members of both groups.

• In Web & Mobile Apps > Apps integrated with Alli > SAML Attribute Mapping, enter all group information that users belong to in that app under the [Group Membership] tab at the very bottom.

• Please note that the group information in the SSO must also be registered identically in Alli for mapping to be possible.

Group creation and permission assignment

1. Go to Alli Dashboard > Settings > Members > Groups tab.

1. Create each group (Product_team, Engineer_team).

2. Assign the necessary permissions to each group.

For users who log in through an SSO app integrated via SAML, even if they belong to multiple groups in that SSO app, that information is automatically reflected in Alli.

• Each time a user logs in, the group information registered in the SAML app is automatically refreshed and reflected in Alli.

• Therefore, if a user's group in the SSO app is changed (added, removed, etc.), those changes will be applied to Alli on the next login.

However, Admin privileges are unique privileges that can only be set within the Alli system. These privileges are managed separately in the Alli dashboard regardless of the IDP (SAML integration system), so they are not automatically reflected upon login.