You can choose to enforce SAML SSO for Ally with OneLogin for added security. Once setup, users in your organization can use their managed OneLogin account credentials to sign in to Ally via Single Sign-On (SSO). 

Follow these simple steps to setup SAML:

  1. Login to OneLogin administrator dashboard.
  2. Navigate to Apps > Add Apps inside the administrator dashboard. Search for 'SAML Test Connector(Advanced)' and select the first result from the search results.
  3. Enter ‘Ally’ under the ‘Display Name’ label against the Portal section and click the save button.

4. (Optional) Click Choose file next to the Upload Logo field to upload a PNG or GIF file to serve as an icon. The file size should be 512 pixels square.

5. Go to the ‘Configuration tab’. Fill <to be provided URL> into ‘Audience’, ‘Recipient’, and ‘ACS(consumer) URL’ fields. Enter ^https:\/\/app.gotoally.com\/.* into the ‘ACS (Consumer) URL Validator’ field, as shown below.

6. Choose ‘Email’ as the option for the ‘SAML nameID format’ field as shown below.

7. Go to the ‘Parameters’ tab and add the following parameters one by one by clicking the ‘Add parameter’ link.

8. Click ‘Save’ on the top right corner of the page and that completes the setup at your end.

9. For Ally to complete setup, we will either need the IDP metadata XML or the 3 pieces of information mentioned in the list below. Please share these details with support@gotoally.com.
   a. Issuer URL
   b. SAML 2.0 Endpoint (HTTP)
   c. X.509 certificate

To get them, go to the ‘SSO’ tab. The ‘Issuer URL’ and ‘SAML 2.0 Endpoint (HTTP)’ are available on the page as shown below.

To get the X.509 certificate, click the ‘View Details’ link below the X.509 Certificate dropdown. From the certificate page, copy the X.509 Certificate contents.

10. Please let us know if you would want to allow your users to log in with email/password and other SSO options along with SAML SSO (Non-Enforced), or if you want to allow your users to only login with SAML SSO (Enforced). By default, we don’t enforce SAML SSO unless requested.

Did this answer your question?