Overview

Single sign-on (SSO) offers a simple and secure way for users to access Appointedd. With SSO enabled, users can sign in with their existing credentials without having to use Appointedd specific ones. This not only gives users and organisations the control to choose their authentication method but also eliminates weak password use, and reduces the need to remember many different email and password combinations.

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (such as MS Azure Active Directory) to pass sign in credentials to service providers (such as Appointedd).

Appointedd now supports SAML SSO, which means any external user directory using the SAML 2.0 protocol can be configured to manage Appointedd users. Read more about how SAML authentication with MS Azure AD works here.

Please note: Appointedd fully supports MS Azure with documentation and testing as part of this solution. Team Appointedd will add other identity provider documentation based on demand and feedback.


Who can set up SSO for Appointedd?

Any administrator of your Appointedd account(s) can set up SSO. However, there are a few things to note before you jump into enabling SSO.

  1. The admin who configures SSO should also have access to all Appointedd accounts associated with your organization. You can do this by inviting this user to all relevant accounts under Setup > Manage users and permissions.

    Alternatively, get in touch with your dedicated Client Success Manager.

  2. Once SSO is configured, only that one admin who actioned this will be able to edit the configuration. As such, please ensure that if this person happens to leave, their credentials are transferred to someone else.

  3. Lastly, for security reason, we'll automatically detect the domain of the logged in user's email address which we'll use for the SSO configuration. Therefore, the admin setting up SSO should be logged in using a company email address (same company they are configuring SSO for).


How to set up SSO

Step 1: Log in to your Appointedd account, navigate to the profile icon in the top right of the screen, and select the Manage SSO. This option is only available to Appointedd admins.

Step 2: You'll see here that domain of the email address you're logged in with will have been automatically detected.

In order to activate SSO for Appointedd account, you will need to upload a SAML metadata file. This is automatically generated once you completed configuration for Appointedd within your identity provider.

The metadata file includes the necessary data to establish trust between Appointedd and your Active Directory. As such it is specific to each business.

Step 3: On the same page, you’ll also find the information you need to add to your Active Directory as well as your domain-specific login URL. You can find instructions on where to add this within MS Azure here.

Name

More info

Value

Reply URL, also called Assertion Consumer Endpoint

This is the URL that the user directory calls to send the SAML response to our authentication system.

https://login.services.appointedd.com/saml2/idpresponse

Entity ID, or SP urn/Audience URI

Some SAML providers require an Entity ID which can be added to the Identifier field within your directory.

urn:amazon:cognito:sp:eu-west-1_oLoLFzh3E

Direct sign in URL

This is the URL that automatically starts the SSO flow for this SSO configuration.

https://app.appointedd.com/loginv2?sso=<domain>

Step 4: Make sure to hit Save.

Step 5: Configure user access to your organisation's Appointedd account(s). You can do this by clicking on Customize user permission. Learn more here.

Step 6: Configure user's access to Appointedd within your Active Directory. Learn more about how to do this in MS Azure here - this is referred to as Attributes & Claims in the article.

Step 7: Send out communications internally to ensure everyone starts using SSO. Find more information on how to login with SSO here. We recommend including this article in your email as well as the direct log-in link for your users to bookmark for easy access to Appointedd.

Please note: If you are migrating users from email and password authentication to SSO, the email and password method will work for these users until the first time they use SSO to log into Appointedd.


Migrating users

When migrating users from email and password to SSO login, it is important to ensure that the SSO super user managing this has access to all Appointedd accounts associated with their business.

In most cases a managed user signing for the first time will automatically be granted access to all organisations that are associated to the SSO super user. The only exception to this is when an existing user tries to login using their SSO credentials for the first time and they are not a user of at least one Appointedd account that the SSO super user is also part of.

This is an intentional organisation check to cover a potential security risk where a bad actor could gain access to an existing user’s Appointedd account using the SSO with SAML feature. This is to protect business with multiple Appointedd accounts as there might be a scenario where the Super User has access to a set of accounts and is trying to migrate a user on an account that the Super User doesn't have access to.

The solution here is to ensure that the SSO super user has access to all Appointedd accounts associated with their business to effectively manage user access to all those accounts.


How to replace the metadata file

Certain Active Directories, such as MS Azure will require you to update the metadata file in apps you've configured SSO for. For security reasons, the admin who originally configured SSO within Appointedd is the only user that can update the metadata file. The SSO configuration settings will not be visible to other Appointedd admin users.

To change the SSO configuration, head to the SSO setup page in your Appointedd account by clicking on the profile icon, and then selecting Manage SSO.

Here, under Edit SSO Configuration click Replace current file and upload the new XML file.

Please note: If you replace the existing metadata file with a new one, you won't be able to restore the original file.


A few things to note

  1. When you get your idntity provider ready to be used with Appointedd, the only attributes you'll need is email:

  2. Once SSO is enabled, users will not be able to edit their email and password details. The Edit your account details page will be locked.

  3. The Manage users and permissions page will remain visible for admins within the Appointedd accounts of your organisation. This page will only show user access to the particular Appointedd account you're logged into - please use the Manage SSO page to manage SSO user permissions to all related Appointedd accounts.

  4. In the unlikely scenario that you need to disconnect your Active Directory from Appointedd, or disable SSO altogether please get in touch with our support team via the in-app messenger.

  5. If you need to edit the domain of your existing SSO configuration, please get in touch with our support team.


Other helpful articles


Have any thoughts? Give us some feedback 👇

Did this answer your question?