π What is SSO?
Single sign-on (SSO) is a form of authentication that allows users to log in using their existing details, usually a company login that provides access a simple and secure way for users to access applications such as Appointedd.
With SSO enabled, users can sign in with their existing company credentials without having to use Appointedd specific ones. This eliminates weak passwords and reduces the need to remember many different email and password combinations.
Appointedd doesn't support multiple domain names with SAML. This means all employees must have the same email domain that was used to setup SAML.
Please note: SSO has to be enabled by a user who has admin access to all of your organisationβs Appointedd accounts. If you organisation hasn't actioned this yet, get in touch with your Appointedd and/or IT admins.
π° How does it work?
Here comes the technical part...
Security Assertion Markup Language (SAML) is an open standard that allows identity providers (such as MS Azure Active Directory) to pass sign in credentials to service providers (such as Appointedd).
Appointedd now supports SAML SSO, which means any external user directory using the SAML 2.0 protocol can be configured to manage Appointedd users. Read more about how SAML authentication with MS Azure AD works here.
Appointedd fully supports MS Azure with documentation and testing as part of this solution, but add other identity provider documentation may be added based on feedback and demand.
π§π½βπ» Who can set up SSO for Appointedd?
The user setting up SSO must have...
Administrator access to Appointedd (standard or restricted users cannot setup SSO)
Access to ALL Appointedd accounts wanting to enable SSO
The user's email domain must be the company domain e.g. @appointedd.com, not, @gmail.com
Not sure if you have Administrator permissions? Read guide here or reach out to us π
βοΈ How do I setup SSO?
Step 1: Please message us via the chat or email support@appointedd.com to request access to view the SAML SSO setup page. Why? This allows us to manually vet access to SAML.
Step 2: Login to your Appointedd account, navigate to the profile icon in the top right of the screen, and select the Manage SSO. You must be an admin that's been granted access to this page (step 1).
Step 3: You'll see here that domain of the email address you're logged in with will have been automatically detected.
In order to activate SSO for Appointedd account, you will need to upload a SAML metadata file. This is automatically generated once you completed configuration for Appointedd within your identity provider.
The metadata file includes the necessary data to establish trust between Appointedd and your Active Directory. As such it is specific to each business.
Step 4: On the same page, youβll also find the information you need to add to your Active Directory as well as your domain-specific login URL. You can find instructions on where to add this within MS Azure here.
Make sure you hit Save.
Name | More info | Value |
Reply URL, also called Assertion Consumer Endpoint | This is the URL that the user directory calls to send the SAML response to our authentication system. | https://login.services.appointedd.com/saml2/idpresponse |
Entity ID, or SP urn/Audience URI | Some SAML providers require an Entity ID which can be added to the Identifier field within your directory. | urn:amazon:cognito:sp:eu-west-1_oLoLFzh3E |
Direct sign in URL | This is the URL that automatically starts the SSO flow for this SSO configuration. | https://app.appointedd.com/loginv2?sso=<domain> |
Step 5: Configure user access to your organisation's Appointedd account(s). You can do this by clicking on 'Customize user permissions'. Learn more here.
If you add users as Administrators, they can also configure user access via the SSO page.
Too many users to add? Reach out to us and we'll get sorted for you π
Step 6: Configure user's access to Appointedd within your Active Directory. Learn more about how to do this in MS Azure here - this is referred to as Attributes & Claims in the article.
That's it! SSO setup should be complete π
π―ββοΈ How can users login via SSO?
Once SSO has been configured, we recommend sending out an internal message to the relevant users. Logging into Appointedd with SSO is super easy, just follow these steps:
Navigate to the Appointedd login page at app.appointedd.com or use your company specific login page which you can get from your Appointedd and/or IT admin.
Select Log in with SSO
3. Add your company email address and hit Log in.
β
Please note: The user & permissions section of Appointedd will be locked to prevent users adding other users via standard email and password.
π‘ How can I migrate existing users over to SSO?
Once you have sent out an internal message with direction on how to login via SSO, users should start doing so.
By default, they will still be able to login via their usual email address and password that they to setup originally.
As the user who setup SSO, you have the power to turn this setting ON or OFF via a toggle on the SSO setup page.
Toggle ON = allow users to still login via email and password
Toggle OFF = prevent users from logging in via email and password and push to SSO
SSO is a more secure way for users to access Appointedd. If the organisation has requested users to login via SSO you can switch straight away.
βοΈ Managing Appointedd user permissions
When you add users to Appointedd via your Active Directory, they will be assigned restricted permissions to all Appointedd accounts associated with this SSO configuration.
We recommend configuring users' access to Appointedd via the Appointedd SSO configuration page before giving them access via your Active Directory.
β
βοΈ Customize Appointedd user permissions
Within your Appointedd account, go to the profile icon, then select Manage SSO. Here, you can customize the user's permissions by clicking on customize user permissions. Fill out the relevant details, and adjust permissions as needed. If you need to adjust a user's access to multiple accounts, you can do this by repeating the process.
When migrating a user's login to SSO, the user will lose access via email and password after the first time they sign in with SSO. Their existing email and password will be replaced with SSO login.
ποΈ Edit an existing custom permission set
Once you have added users they will be listed on the SSO user management page within your Appointedd account under profile icon > Manage SSO.
To edit a user's permissions, select the pen icon next to their name. This will trigger an editing pop-up that will allow you to change their email address, the Appointedd account this permission set relates to, as well as the user permissions.
ποΈ Filter user permissions
If you need to find a particular user permission set, you can do this easily within your Appointedd account, under the profile icon, by clicking on Manage SSO.
Here, you can utilize the below filters to find the relevant permission set you are looking for:
email address
Appointedd account
permissions
β Delete user permissions
If one of your users doesn't need access to a particular Appointedd account anymore, you can delete their relevant user permission set on the same page.
You can do this by finding the relevant permission set (you can use the filters), and clicking on the bin icon.
β
Please note: If you need to delete a user's full access to Appointedd, this has to be actioned via your Active Directory. You might need to get in touch with your internal IT department to action this.
β
βPlease also note: If you delete a user's last permission set without deleting them in your Active Directory, their access will default back to restricted access to all Appointedd accounts associated with this SSO configuration. Learn more about Appointedd user permissions here.
π΄ I don't want users to login via SSO anymore
In the unlikely scenario that you need to disconnect your Active Directory from Appointedd, or disable SSO altogether please get in touch with us via the in-app messenger or email support@appointedd.com and we'll be able to assist.
Equally, if you need to edit the domain of your existing SSO configuration, please get in touch with our support team.
π Common troubleshooting FAQ's π§―
The SSO super user (user setting up SSO) must have access to all Appointedd accounts
Remember, when migrating users from email and password to SSO login, it is important to ensure that the person who setup SSO has access to all Appointedd accounts associated with their business.
In most cases a managed user signing for the first time will automatically be granted access to all organisations that are associated to the SSO super user. The only exception to this is when an existing user tries to login using their SSO credentials for the first time and they are not a user of at least one Appointedd account that the SSO super user is also part of.
This is an intentional organisation check to cover a potential security risk where a bad actor could gain access to an existing userβs Appointedd account using the SSO with SAML feature. This is to protect business with multiple Appointedd accounts as there might be a scenario where the Super User has access to a set of accounts and is trying to migrate a user on an account that the Super User doesn't have access to.
The solution here is to ensure that the SSO super user has access to all Appointedd accounts associated with their business to effectively manage user access to all those accounts.
How to update the metafile
Certain Active Directories, such as MS Azure will require you to update the metadata file in apps you've configured SSO for. For security reasons, the admin who originally configured SSO within Appointedd is the only user that can update the metadata file.
To change the SSO configuration, head to the SSO setup page in your Appointedd account by clicking on the profile icon, and then selecting Manage SSO. Under Edit SSO Configuration click Replace current file and upload the new XML file.
If you replace the existing metadata file with a new one, you won't be able to restore the original file.
