What is SSO?
SSO refers to single sign-on and it's a simple and secure way for users to access Appointedd.
With SSO enabled, users can sign in with their existing company credentials without having to use Appointedd specific ones. This eliminates weak passwords and reduces the need to remember many different email and password combinations.
How does it work?
Here comes the technical part...
Security Assertion Markup Language (SAML) is an open standard that allows identity providers (such as MS Azure Active Directory) to pass sign in credentials to service providers (such as Appointedd).
Appointedd now supports SAML SSO, which means any external user directory using the SAML 2.0 protocol can be configured to manage Appointedd users. Read more about how SAML authentication with MS Azure AD works here.
Appointedd fully supports MS Azure with documentation and testing as part of this solution, but add other identity provider documentation may be added based on feedback and demand.
Who can set up SSO for Appointedd?
The user setting up SSO must have...
Administrator access to Appointedd (standard or restricted users cannot setup SSO)
Access to ALL Appointedd accounts wanting to enable SSO
The user's email domain must be the company domain e.g. @appointedd.com, not, @gmail.com
Not sure if you have Administrator permissions? Read guide here or reach out to us 👋
How do I setup SSO?
You're nearly there!
Step 1: Please message us via the chat or email firstname.lastname@example.org to request access to view the SAML SSO setup page. Why? This allows us to manually vet access to SAML.
Step 2: Login to your Appointedd account, navigate to the profile icon in the top right of the screen, and select the Manage SSO. You must be an admin that's been granted access to this page (step 1).
Step 3: You'll see here that domain of the email address you're logged in with will have been automatically detected.
In order to activate SSO for Appointedd account, you will need to upload a SAML metadata file. This is automatically generated once you completed configuration for Appointedd within your identity provider.
The metadata file includes the necessary data to establish trust between Appointedd and your Active Directory. As such it is specific to each business.
Step 4: On the same page, you’ll also find the information you need to add to your Active Directory as well as your domain-specific login URL. You can find instructions on where to add this within MS Azure here.
Make sure you hit Save.
Reply URL, also called Assertion Consumer Endpoint
This is the URL that the user directory calls to send the SAML response to our authentication system.
Entity ID, or SP urn/Audience URI
Some SAML providers require an Entity ID which can be added to the Identifier field within your directory.
Direct sign in URL
This is the URL that automatically starts the SSO flow for this SSO configuration.
Step 5: Configure user access to your organisation's Appointedd account(s). You can do this by clicking on 'Customize user permissions'. Learn more here.
If you add users as Administrators, they can also configure user access via the SSO page.
Do you have too many users to add?! Reach out to us and we'll get sorted for you
Step 6: Configure user's access to Appointedd within your Active Directory. Learn more about how to do this in MS Azure here - this is referred to as Attributes & Claims in the article.
SSO complete! 🎉
How can users login via SSO?
Once SSO has been configured (see "How do I setup SSO?" above), we recommend sending out an internal message to the relevant users.
The user & permissions section of Appointedd will be locked to prevent users adding other users via standard email and password.
How can I migrate existing users over to SSO?
Once you have sent out an internal message with direction on how to login via SSO, users should start doing so.
By default, they will still be able to login via their usual email address and password that they to setup originally.
As the user who setup SSO, you have the power to turn this setting ON or OFF via a toggle on the SSO setup page.
Toggle ON = allow users to still login via email and password
Toggle OFF = prevent users from logging in via email and password and push to SSO
SSO is a more secure way for users to access Appointedd. If the organisation has requested users to login via SSO you can switch straight away and longer need to use
Common troubleshooting FAQ's 🧯
The SSO super user (user setting up SSO) must have access to all Appointedd accounts
Remember, when migrating users from email and password to SSO login, it is important to ensure that the person who setup SSO has access to all Appointedd accounts associated with their business.
In most cases a managed user signing for the first time will automatically be granted access to all organisations that are associated to the SSO super user. The only exception to this is when an existing user tries to login using their SSO credentials for the first time and they are not a user of at least one Appointedd account that the SSO super user is also part of.
This is an intentional organisation check to cover a potential security risk where a bad actor could gain access to an existing user’s Appointedd account using the SSO with SAML feature. This is to protect business with multiple Appointedd accounts as there might be a scenario where the Super User has access to a set of accounts and is trying to migrate a user on an account that the Super User doesn't have access to.
The solution here is to ensure that the SSO super user has access to all Appointedd accounts associated with their business to effectively manage user access to all those accounts.
You may need to update the metadata file
Certain Active Directories, such as MS Azure will require you to update the metadata file in apps you've configured SSO for. For security reasons, the admin who originally configured SSO within Appointedd is the only user that can update the metadata file.
To change the SSO configuration, head to the SSO setup page in your Appointedd account by clicking on the profile icon, and then selecting Manage SSO. Under Edit SSO Configuration click Replace current file and upload the new XML file.
If you replace the existing metadata file with a new one, you won't be able to restore the original file.
I don't want users to login via SSO anymore
In the unlikely scenario that you need to disconnect your Active Directory from Appointedd, or disable SSO altogether please get in touch with us via the in-app messenger or email email@example.com and we'll be able to assist.
Equally, if you need to edit the domain of your existing SSO configuration, please get in touch with our support team.