AlexisHR

Click <a href="https://help.alexishr.com/en/articles/5278006-google-workspace-sso" rel="nofollow noopener noreferrer" target="_blank">here</a> for instructions for Google Workspace, <a href="https://help.alexishr.com/en/articles/5568833-alexishr-azure-marketplace-app" rel="nofollow noopener noreferrer" target="_blank">here</a> for the Microsoft Azure AD app and go <a href="http://help.alexishr.com/en/articles/5265170-alexishr-s-okta-app-saml-scim-configuration-guide-for-okta">here</a> for AlexisHR's Okta app. If you need any assistance, please book a meeting with your Customer Success or write us in the chat.

You need to be an Owner in AlexisHR to enable SSO

Make sure your account plan allows you to use SSO

- You need to be an Owner in AlexisHR to enable SSO
- Make sure your account plan allows you to use SSO

- IdP-initiated SSO
- SP-initiated SSO (See note)

Note: By default and when following the instructions below IdP-initiated SSO is enabled in AlexisHR. To enable SP-initiated SSO, follow the below set steps and then contact your Customer Success or write us in the chat.

Procedure - How to set up SSO via SAML 2.0

You will have to locate this information in your specific identity provider (IdP).

SSO URL: URL at the IdP to which SAML authentication requests should be sent. This is often called an SSO URL.

Logout URL*: URL at the IdP to which SAML logout requests should be sent. This is often called a logout URL, a global logout URL, or a single logout URL (see note).

Public x509 certificate: Certificate needed to validate the signature of the authentication assertions that have been digitally signed by the IdP. There should be a place to download the signing certificate from the IdP. If the certificate is not in <code>.pem</code> or <code>.cer</code> format, you should convert it to one of these formats. *This feature is currently not fully implemented in AlexisHR but is still a required field due to limitations in our 3rd party vendor (Auth0).

Go to <a href="https://app.alexishr.com/settings/authentication/saml-sso" rel="nofollow noopener noreferrer" target="_blank">Settings -&gt; SAML Single sign-on</a> and enter the information

You will receive the following information:

- SSO URL: URL at the IdP to which SAML authentication requests should be sent. This is often called an SSO URL.
- Logout URL*: URL at the IdP to which SAML logout requests should be sent. This is often called a logout URL, a global logout URL, or a single logout URL (see note).
- Public x509 certificate: Certificate needed to validate the signature of the authentication assertions that have been digitally signed by the IdP. There should be a place to download the signing certificate from the IdP. If the certificate is not in <code>.pem</code> or <code>.cer</code> format, you should convert it to one of these formats. *This feature is currently not fully implemented in AlexisHR but is still a required field due to limitations in our 3rd party vendor (Auth0).
 
 Go to <a href="https://app.alexishr.com/settings/authentication/saml-sso" rel="nofollow noopener noreferrer" target="_blank">Settings -&gt; SAML Single sign-on</a> and enter the information
 
 You will receive the following information:
- Audience URI
- Assertion Consumer Service URL (ACS URL)

Copy this information and add it to your IdP

Signed Response: Can be set to true (optional)

Name ID format: Email or Unspecified

Name ID: should be set where the users work email is stored

IdP Work Email attribute: should be mapped to email

- Signed Response: Can be set to true (optional)
- Name ID format: Email or Unspecified
- Name ID: should be set where the users work email is stored
- IdP Work Email attribute: should be mapped to email

Prerequisites

Supported Features

Procedure - How to set up SSO via SAML 2.0

Go to Settings -> SAML Single sign-on and enter the information

You will receive the following information:

Setting up SSO in your IdP