search

SAML SSO authentication (Okta version)

In Alli, you can integrate a SAML app to set up SSO (Single Sign-On) authentication. This allows you to configure access so that only members who have completed SSO authentication for a specific project can access Alli Works and the dashboard according to their permissions.

hashtag
✅ What is SAML SSO?

SAML is an XML-based framework for web-browser-based authentication and authorization that enables users to log in once and be automatically signed in to multiple services. It is an authentication standard used by many companies today, and Alli supports SSO integration based on this standard.

hashtag
✅ Supported IdPs

  • Google

  • Microsoft Entra

  • Okta

  • Any IdP that complies with the SAML specification

This guide describes the process using Okta as an example.

hashtag
Create Okta SAML App

1. Okta Dashboardarrow-up-right Log in to the admin console

2. Add a SAML app

  • Create the app via Application > Create App Integration button.

  • Select the SAML 2.0 method.

  • Enter the app name and click the Next button.

hashtag
Integrate the SAML app in the Alli dashboard

  • Go to Dashboard > Settings > Integrations > SAML SSO tab and click the +Add SAML app button.

Copy the ACS URL and Entity ID

  • Copy the generated values and paste the Entity ID into Single sign-on URL and the ACS URL into Audience URL on the dashboard.

  • The SAML app has been configured. Be sure to set the Name ID Format to EmailAddress and configure each user to belong to this app.

  • Enter the dashboard’s ACS URL (Reply URL) into Single sign on URL and the Entity ID into Audience URL.

hashtag
Register the SAML app in Alli

1. Set the app name and slug

  • Enter the : It is recommended to set them the same as the Google SAML app to make identification easier.

  • App slug : This is the unique code members enter whenever they log into the project (e.g., my-project-sso

    • App slugs may only contain lowercase letters, numbers, and hyphens.

    • Duplicate app slugs cannot be used. If an app slug is already used by another project, the message 'The slug you entered is already in use. Please enter a different slug.' will be displayed.

2. Enter the required information

  • In the Sign-on tab of the Okta app, transfer the app details to the dashboard. 1) Sign in URL > Login URL 2) Issuer > Identifier 3) Signing Certificate > Certificate — copy each accordingly.

After entering all items, click the Save button to easily add the SAML SSO app to your Alli project.

hashtag
SSO user attribute mapping (Okta version)

hashtag
Distinguishing user attribute mapping vs group attribute mapping

When mapping attributes between a SAML app and Alli, 'user attributes' that are assigned 1:1 to individual users and 'group attributes' that apply to multiple users belonging to a group differ in how they are configured and applied.

  • User attribute mapping is a method where information independently assigned to each user—such as name, phone number, department—is received by Alli as variables and used. In this case department values such as are mapped 1:1 to Alli's GROUP variable so that Alli groups can be configured based on individual user attributes.

  • Group attribute mapping is a method that, based on pre-defined group units within the app (e.g., Product_team, Engineer_team, etc.), connects multiple users belonging to that group collectively to Alli groups.

For example, department If you map a field to a user variable, the department value set in each user's attribute will be set as that user's Alli group. On the other hand, if users are grouped within the app and that group information is delivered via group fields, the group-level information will be used to configure Alli groups.

Please accurately distinguish between user attributes and group attributes and proceed with mapping according to the configuration purpose.

hashtag
Detailed attribute mapping settings (Attribute Mapping)

Here we will explain how to configure attribute mapping between Alli and the Google directory within a SAML app.

Basics

  • EAML is mapped automatically, so no separate configuration is required.

  • Alli supports the following user scope variables:

    • FIRST_NAME

    • LAST_NAME

    • GROUP

    • Common variables such as PHONE_NUM

  • The following variables are not supported.

    • FILE

    • CATEGORY

    • DOCUMENTS

    • SNIPPETS

hashtag
User variable mapping

App > General > SAML Settings > Edit > Configure SAML tab

Select the Attribute Statements tab

  1. Enter the appropriate values so that an Alli variable can be selected for NAME and an Okta field can be selected for Value.

  2. Here, as an example, we selected the fields corresponding to First name and Last name and mapped them to match Alli's variable names.

Each user variable name can be checked in Alli Dashboard > Settings > Variables tab.

hashtag
User group mapping

App > General > SAML Settings > Edit > Configure SAML tab

Select the Attribute Statements tab

  1. In Alli, departmentis GROUPtreated as a variable, so you must enter GROUPin the Name of Attribute Statements.

  2. Enter the field name corresponding to the department in the app in the Value.

You must follow the rules below.

Writing rules

  1. Prefix with user.afterwards.

  2. Then enter the lowercase version of the User Attribute name.

For example, in that app, divisionis an attribute that acts as a group (department), so enter it as follows:

  • This SAML app has a total of 3 department types:

    • Engineering Division

    • Product Team

    • Sales Team

  • Note that the above department information must also be registered identically in Alli for group mapping to be possible.

Group creation and permission assignment

  1. Go to Alli Dashboard > Settings > Members > Groups tab.

  2. Create each group (Engineering Division, Product Team, Sales Team).

  3. Assign the necessary permissions to each group.

As follows, users who log in through the integrated SAML app will have each mapped variable automatically assigned.

hashtag
Group mapping (when users are natively grouped by group attributes within the app, or when a user belongs to multiple groups)

Add group organizations (units that group users) in the SSO app that integrates with Alli.

  • In that SAML app, two groups that group individual users have been added, and users are assigned to each group.

  • However, some users are Backend, Frontednalso members of both groups.

  1. In Group Attribute Statements, enter GRUOP in the Name.

  2. Select Matches regex in the Filter and enter .* as the value.

  • There are two groups that group users in that Okta app.

    • Backend

    • Front

  1. Note that the above group information must also be registered identically in Alli for group mapping to be possible.

  2. Click the Save button.

Group creation and permission assignment

  1. Go to Alli Dashboard > Settings > Members > Groups tab.

  1. Create each group (Backend, Front).

  2. Assign the necessary permissions to each group.

For users who log in through an SSO app integrated via SAML, even if they belong to multiple groups in that SSO app, that information is automatically reflected in Alli.

  • Each time a user logs in, the group information registered in the SAML app is automatically refreshed and reflected in Alli.

  • Therefore, if a user's group in the SSO app is changed (added, removed, etc.), those changes will be applied to Alli on the next login.

However, Admin privileges are unique privileges that can only be set within the Alli system. These privileges are managed separately in the Alli dashboard regardless of the IDP (SAML integration system), so they are not automatically reflected upon login.

PreviousSSO user attribute mapping (Entra version)NextSSO user attribute mapping (Okta version)

Last updated