Authentication and SSO

Single Sign-On integration

Tallyfy includes free Single Sign-On (SSO) for all paid plans. Your team logs in with existing corporate credentials from Microsoft Entra ID, Google Workspace, Okta, OneLogin, JumpCloud, or any SAML 2.0 provider. Setup takes about 30 minutes.

You can also enforce SSO-only access - blocking email/password logins entirely.

SSO benefits

Benefit	What it means
Security	Apply your org’s existing security policies and MFA to Tallyfy
One login	Team members use their corporate username and password
Access control	Manage Tallyfy permissions from your identity provider
Auto-provisioning	New users get Tallyfy accounts on first SSO login
Consistent policies	Same password complexity and session rules across all systems
Less IT overhead	No more Tallyfy-specific password resets

SSO as replacement for e-signatures

SSO authentication creates audit trails that can replace e-signature tools for internal approvals.

Why skip traditional e-signatures for internal use?

• Extra cost per signature/user
• Separate system to manage
• Workflow interruption - users leave Tallyfy, sign elsewhere, then return

SSO-based approvals give you:

• No extra cost - included with paid Tallyfy plans
• Identity verification - corporate SSO confirms the approver’s identity
• Audit trail - every approval logged with timestamp and user identity
• No context switching - approvers complete tasks without leaving Tallyfy
• Legal compliance - meets requirements for internal corporate approvals in most jurisdictions

Common use cases: purchase orders, policy acknowledgments, budget authorizations, project sign-offs, compliance confirmations, HR approvals.

Best practice for approval workflows

Create a dedicated “Approval” task type in your templates with:

1. Approval criteria in the task description
2. Required Yes/No form field for the approval decision
3. Required text field for approval comments/conditions
4. Automatic email notification upon completion

This creates a timestamped, authenticated approval record without external e-signature tools.

When you still need traditional e-signatures

For external party signatures (customers, vendors) or specific regulatory requirements (some healthcare/financial documents), you may still need dedicated e-signature tools. Tallyfy integrates with DocuSign and similar platforms for these scenarios.

Enforcing SSO-only access

Tallyfy can lock down your org so SSO is the only login method. When sso_auth_only is enabled:

• Email and password logins are disabled org-wide
• Manual member invites are blocked - all users must come through your identity provider
• Non-SSO login attempts redirect to your SAML login page

For security details, see Compliance documentation on Mandatory Single Sign-On.

To enable SSO-only mode, contact Tallyfy support.

SSO authentication flow

Here’s what happens when someone logs in via SSO:

1. User visits your org’s Tallyfy login link
2. Tallyfy redirects to your identity provider (Entra ID, Google, etc.)
3. User authenticates with corporate credentials and MFA
4. Identity provider sends a SAML assertion back to Tallyfy
5. First-time users get accounts created automatically from identity provider data (email, first name, last name)

Supported identity providers

Microsoft Entra ID (formerly Azure Active Directory)

Cloud identity and access management with conditional access and MFA.

Azure AD Setup Guide →

Google Workspace (formerly G Suite)

Identity platform for businesses using Gmail, Drive, and other Google tools.

Google Workspace Setup Guide →

Okta

Cloud-based identity service for enterprise SSO.

Okta Setup Guide →

OneLogin

Identity and access management with SSO capabilities.

OneLogin Setup Guide →

JumpCloud

Cloud directory platform with SAML-based SSO.

JumpCloud Setup Guide →

Other SAML 2.0 providers

Any SAML 2.0-compatible identity provider works. Contact support to verify compatibility.

Requirements for SSO setup

• Admin access in both Tallyfy and your identity provider
• Metadata exchange - URLs, certificates, and entity IDs between systems
• Attribute mapping - email, first name, and last name fields from your identity provider to Tallyfy
• Testing - verify with different user types before rolling out org-wide

SSO with MCP servers

If you’re using MCP servers for AI workflows, SSO can extend to those too. See SSO authentication with MCP servers.

Getting started

1. Pick the setup guide for your identity provider above
2. Contact Tallyfy support or your account manager
3. Your IT team configures the identity provider side
4. Test with users from different departments and roles
5. Tell your team about the new login process

Troubleshooting authentication issues

Authentication loops

If you’re stuck in a login loop or can’t get past the login screen, visit https://account.tallyfy.com/logout ↗ to clear all sessions. Then clear your browser cookies for tallyfy.com, wait 10-15 seconds, and log in again.

For more details, see the authentication loop resolution guide.

Common SSO issues

Issue	Solution
Login loops with SSO	Visit https://account.tallyfy.com/logout ↗, then re-authenticate
Can’t switch orgs	Force logout and clear cookies for all tallyfy.com domains
SSO and password login conflict	Clear all sessions via the logout URL before switching methods
”Need admin approval” message	Your IT admin must approve Tallyfy in the identity provider settings

• Integrate Google Workspace
• Integrate JumpCloud SSO
• Integrate Microsoft Entra ID SSO
• Integrate Okta SSO
• Integrate OneLogin SSO

Related articles

Authentication > Integrate Microsoft Entra ID SSO

Tallyfy integrates with Microsoft Entra ID (formerly Azure Active Directory) for SAML-based single sign-on by having an admin create an enterprise app in Entra ID and exchange SAML configuration values and certificates with Tallyfy Support so that users can log in automatically and get accounts provisioned on first access.

Mcp Server > Using SSO with MCP servers

SSO integration with MCP servers eliminates repeated authentication across multiple AI tools by delegating login to enterprise identity providers like Azure AD or Okta through OAuth 2.1 flows so users authenticate once with corporate credentials and gain access to all approved workflow integrations while giving IT centralized control over token management and access policies.

Authentication > Integrate OneLogin SSO

Tallyfy integrates with OneLogin through SAML-based Single Sign-On by having an admin create a custom SAML connector in OneLogin and exchange configuration values like ACS URLs and X.509 certificates with Tallyfy Support so that team members can authenticate through a special SSO login URL with automatic provisioning for new users on first access.

Authentication > Integrate Okta SSO

Tallyfy integrates with Okta through SAML 2.0 SSO by creating an Okta SAML app and exchanging configuration details with Tallyfy Support so users can authenticate automatically and get accounts provisioned on first login in about 30 minutes.

Was this helpful?

YesNo