SAML SSO authentication (Entra version)

In Alli, you can integrate a SAML app to set up SSO (Single Sign-On) authentication. This allows you to configure access so that only members who have completed SSO authentication for a specific project can access Alli Works and the dashboard according to their permissions.

✅ What is SAML SSO?

SAML is an XML-based framework for web-browser-based authentication and authorization that enables users to log in once and be automatically signed in to multiple services. It is an authentication standard used by many companies today, and Alli supports SSO integration based on this standard.

✅ Supported IdPs

• Google

• Microsoft Entra

• Okta

• Any IdP that complies with the SAML specification

This guide explains based on Entra.

Create Entra SAML App

1. Log in to the Entra admin console

• Entra Admin ConsoleAccess it.

2. Add a SAML app

• Create the app using Applications > Enterprise applications tab > Create your own application button.

• Enter theEnter and select the 3rd option 'Integrate any other application not in the gallery', then click the Create button.

• Select the created app, click the Single Sign-on tab, and choose SAML.

Integrate the SAML app in the Alli dashboard

• Go to Dashboard > Settings > Integrations > SAML SSO tab and click the +Add SAML app button.

Copy the ACS URL and Entity ID

• Copy the generated values and paste them into the SAML app settings screen.

Single Sign on > Edit basic SAML configuration

Copy the Identifier (Entity) and Reply URL values

Add those values to the dashboard

• A new SSO app has been created on the IdP. Please assign the members (users and groups) who will belong to that app.

Register the SAML app in Alli

1. Set the app name and slug

• Enter the : It is recommended to set them the same as the Google SAML app to make identification easier.

• App slug : This is the unique code members enter whenever they log into the project (e.g., my-project-sso

  • App slugs may only contain lowercase letters, numbers, and hyphens.

  • Duplicate app slugs cannot be used. If an app slug is already used by another project, the message 'The slug you entered is already in use. Please enter a different slug.' will be displayed.

2. Enter the required information

• Login URL (copy and paste the contents from Alli Dashboard > Settings > Integrations > Entra samlus production works settings tab)

• Identifier (Entity ID) (copy and paste the contents from Alli Dashboard > Settings > Integrations > Entra samlus production works settings tab)

• Certificate (copy and paste the contents from Alli Dashboard > Settings > Integrations > Entra samlus production works settings tab)

• After entering all items, click the Save button to easily add the SAML SSO app to your Alli project.

SSO user attribute mapping (Entra version)

Distinguishing user attribute mapping vs group attribute mapping

When mapping attributes between a SAML app and Alli, 'user attributes' that are assigned 1:1 to individual users and 'group attributes' that apply to multiple users belonging to a group differ in how they are configured and applied.

• User attribute mapping is a method where information independently assigned to each user—such as name, phone number, department—is received by Alli as variables and used. In this case department values such as are mapped 1:1 to Alli's GROUP variable so that Alli groups can be configured based on individual user attributes.

• Group attribute mapping is a method that, based on pre-defined group units within the app (e.g., Product_team, Engineer_team, etc.), connects multiple users belonging to that group collectively to Alli groups.

For example, department If you map a field to a user variable, the department value set in each user's attribute will be set as that user's Alli group. On the other hand, if users are grouped within the app and that group information is delivered via group fields, the group-level information will be used to configure Alli groups.

Please accurately distinguish between user attributes and group attributes and proceed with mapping according to the configuration purpose.

Detailed attribute mapping settings (Attribute Mapping)

Here we will explain how to configure attribute mapping between Alli and the Google directory within a SAML app.

Basics

• EAML is mapped automatically, so no separate configuration is required.

• Alli supports the following user scope variables:

  • FIRST_NAME

  • LAST_NAME

  • GROUP

  • Common variables such as PHONE_NUM

• The following variables are not supported.

  • FILE

  • CATEGORY

  • DOCUMENTS

  • SNIPPETS

User variable mapping

Single-Sign-On > Edit Attributes and Claims

Select the claim to map or add a new one

1. Enter the Alii variable name you want to map to the Name. (Variable names are Settings > Variables You can check this in the tab)

2. To make the namespace blank, delete any content if there is anything entered.

3. In the Source Attribute, select Entra attributes corresponding to each variable. (By default in Entra, GivenName corresponds to FIRST_NAME and Surname corresponds to LAST_NAME.)

4. Click the Save button.

Each user variable name can be checked in Alli Dashboard > Settings > Variables tab.

User group mapping

Add new GROUP claim

1. Enter GROUP as the name.

2. In the Source Attribute, select the Entra attribute corresponding to GROUP. (In this app, department serves as the group, so select that value.)

• There are a total of 3 department types for groups assigned to users in this SAML app:

  • Engineering Division

  • Product Team

  • Sales Team

• Note that the above department information must also be registered identically in Alli for group mapping to be possible.

1. Click the Save button.

Group creation and permission assignment

1. Go to Alli Dashboard > Settings > Members > Groups tab.

2. Create each group (Engineering Division, Product Team, Sales Team).

3. Assign the necessary permissions to each group.

Users who log in through the integrated SAML app as follows will have each mapped variable automatically assigned, and details can be found in the All Members tab.

Group mapping (when users are natively grouped by group attributes within the app, or when a user belongs to multiple groups)

Add group organizations (units that group users) in the SSO app that integrates with Alli.

• In that SAML app, two groups that group individual users have been added, and users are assigned to each group.

• However, some users are Product_team, Engineer_teamalso members of both groups.

1. Add a group claim in Claim Management.

2. In the application, select Assigned Groups > Cloud-only group display name.

1. Click Advanced Options and then click 'Customize group claim name'.

2. Enter GROUP in Name (required) and click the Save button.

• There are a total of 2 department types for the groups that bundle users in this SAML app:

  • Engineering_team

  • Produc_team

1. Note that the above group information must also be registered identically in Alli for group mapping to be possible.

2. Click the Save button.

Group creation and permission assignment

1. Go to Alli Dashboard > Settings > Members > Groups tab.

1. Create each group (Product_team, Engineer_team).

2. Assign the necessary permissions to each group.

For users who log in through an SSO app integrated via SAML, even if they belong to multiple groups in that SSO app, that information is automatically reflected in Alli.

• Each time a user logs in, the group information registered in the SAML app is automatically refreshed and reflected in Alli.

• Therefore, if a user's group in the SSO app is changed (added, removed, etc.), those changes will be applied to Alli on the next login.

However, Admin privileges are unique privileges that can only be set within the Alli system. These privileges are managed separately in the Alli dashboard regardless of the IDP (SAML integration system), so they are not automatically reflected upon login.