Skip to content

Authentication and SSO

Administrators only

Tallyfy includes free Single Sign-On (SSO) on any paid plan, and you set it up yourself. An org admin configures the connection, tests it, and turns it on from Settings > Organization > Security > SSO. No support ticket needed. Your team then logs in with existing corporate credentials from Microsoft Entra ID, Google Workspace, Okta, OneLogin, JumpCloud, or any SAML 2.0 provider. Most admins finish in about 30 minutes.

There’s more than just login. You can verify your email domain by DNS so new users auto-join the right org, sync your whole directory with SCIM so people are added and removed automatically, and enforce SSO-only access that blocks email and password logins. Owners and admins always keep a password fallback, so a broken identity provider can’t lock you out.

Everything lives in one place. Sign in as an administrator, open Settings > Organization > Security, and you’ll find tabs for SSO, Domains, SCIM, and the security Activity log. Each tab is covered in its own guide below.

BenefitWhat it means
SecurityApply your company’s existing security rules and MFA (an extra login check beyond a password) to Tallyfy
One loginTeam members use their corporate username and password
Access controlManage Tallyfy permissions from your identity provider
Auto-provisioningNew users get Tallyfy accounts on first SSO login (once your domain is verified)
Directory syncSCIM adds, updates, and deactivates users automatically from your IdP
Consistent policiesSame password complexity and session rules across all systems
Less IT overheadNo more Tallyfy-specific password resets

The SSO wizard walks you through it in four steps. You don’t need to write any XML by hand.

  1. Pick your identity provider. Choose Okta, Microsoft Entra ID, Google Workspace, OneLogin, JumpCloud, generic SAML, or generic OIDC. Tallyfy shows you the exact SP values to copy into your IdP (the ACS URL and entity ID).
  2. Enter your IdP details. Use one of the three methods below.
  3. Test the connection. Tallyfy validates your metadata and certificate before it lets you go live, so you catch problems early instead of during a real login.
  4. Turn it on. Once the test passes, enable the connection. Your team can sign in through SSO right away.

Pick the per-IdP guide further down for screenshots and the exact field names in your provider.

Three ways to connect your identity provider

Section titled “Three ways to connect your identity provider”

When you reach the “enter IdP details” step, Tallyfy gives you three ways to hand over your provider’s SAML metadata. They all end up in the same place, so use whichever your IdP makes easiest.

MethodWhen to use itWhat you paste
Metadata URLYour IdP publishes a metadata link (most do). The easiest option.The URL. Tallyfy fetches and parses it for you.
XML pasteYour IdP gives you a metadata file to download.The full metadata XML, pasted into the box.
Manual entryYou’d rather type the values, or your IdP doesn’t export metadata.The sign-in URL, issuer/entity ID, and signing certificate.

With the metadata URL method, Tallyfy can re-read your IdP’s metadata later, which helps when your provider rotates its signing certificate.

Before SSO can auto-join new people or be enforced org-wide, you prove you own your email domain. You do this by adding a DNS TXT record. A verified domain is the safety check that stops a stranger, whose own IdP happens to assert an @yourcompany.com address, from being auto-added to your org.

Domain verification is its own short setup. See Domain verification for the steps and what each verified domain turns on.

SCIM connects Tallyfy to your identity provider’s directory so user accounts stay in sync without anyone clicking around. When someone joins a group in your IdP, they get a Tallyfy account. When they leave, their Tallyfy access is removed and the seat frees up. No more paying for ex-employees.

Turn it on under Settings > Organization > Security > SCIM. See SCIM provisioning for how to generate the token and map IdP groups to Tallyfy roles.

SSO authentication creates audit trails that can replace e-signature tools for internal approvals.

Why skip traditional e-signatures for internal use?

  • Extra cost per signature/user
  • Separate system to manage
  • Workflow interruption - users leave Tallyfy, sign elsewhere, then return

SSO-based approvals give you:

  • No extra cost - included with paid Tallyfy plans
  • Identity verification - corporate SSO confirms the approver’s identity
  • Audit trail - every approval logged with timestamp and user identity
  • No context switching - approvers complete tasks without leaving Tallyfy
  • Legal compliance - meets requirements for internal corporate approvals in most jurisdictions

Common use cases: purchase orders, policy acknowledgments, budget authorizations, project sign-offs, compliance confirmations, HR approvals.

You can lock your org down so SSO is the only way most people log in. Flip the Require SSO switch under Settings > Organization > Security > SSO. When enforcement is on:

  • Email and password logins are turned off for regular members
  • Manual member invites are blocked, so all users come through your identity provider
  • Non-SSO login attempts redirect to your SAML login page

The switch stays disabled until you have a verified domain, because that’s what makes enforcement safe. Turning it on asks you to re-enter your password (a step-up check) and emails every org admin so changes are never silent.

The break-glass guarantee: org owners and admins keep their password login even under enforcement. If your identity provider goes down or a misconfiguration breaks SSO, an admin can still sign in with a password and fix it. You can’t accidentally lock your whole org out.

For the full enforcement walk-through and recovery steps, see SSO enforcement and break-glass. For security background, see the Compliance documentation on Mandatory Single Sign-On.

Here’s what happens when someone logs in via SSO:

  1. User visits your org’s Tallyfy login link
  2. Tallyfy redirects to your identity provider (Entra ID, Google, etc.)
  3. User authenticates with corporate credentials and MFA
  4. Identity provider sends a SAML assertion back to Tallyfy
  5. Existing users are matched and logged in. First-time users from a verified domain get an account created automatically from identity provider data (email, first name, last name) when auto-join is on
SSO authentication flow diagram

Microsoft Entra ID (formerly Azure Active Directory)

Section titled “Microsoft Entra ID (formerly Azure Active Directory)”

Cloud identity and access management with conditional access and MFA.

Azure AD Setup Guide →

Identity platform for businesses using Gmail, Drive, and other Google tools.

Google Workspace Setup Guide →

Cloud-based identity service for enterprise SSO.

Okta Setup Guide →

Identity and access management with SSO capabilities.

OneLogin Setup Guide →

Cloud directory platform with SAML-based SSO.

JumpCloud Setup Guide →

Any SAML 2.0-compatible identity provider works. Pick the Generic SAML option in the wizard and use the metadata URL or XML paste method. OIDC providers work too via the Generic OIDC option. If your provider does something unusual, Tallyfy support can help you check compatibility.

  • A paid plan - SSO and SCIM are available on any active paid plan
  • Admin access in both Tallyfy and your identity provider
  • A verified domain if you want auto-join or SSO-only enforcement (login alone works without one)
  • Attribute mapping - email, first name, and last name fields from your identity provider to Tallyfy
  • Testing - the wizard’s built-in test, plus a check with different user types before rolling out org-wide
  1. Sign in as an administrator and open Settings > Organization > Security > SSO
  2. Pick the setup guide for your identity provider above and follow it alongside the wizard
  3. Configure the identity provider side, then paste your metadata into Tallyfy
  4. Run the connection test, then enable SSO
  5. (Optional) Verify your domain, turn on SCIM, and switch on enforcement
  6. Test with users from different departments and roles, then tell your team about the new login

If you’re stuck in a login loop or can’t get past the login screen, visit https://account.tallyfy.com/logout to clear all sessions. Then clear your browser cookies for tallyfy.com, wait 10-15 seconds, and log in again.

For more details, see the authentication loop resolution guide.

IssueSolution
Login loops with SSOVisit https://account.tallyfy.com/logout, then re-authenticate
Can’t switch orgsForce logout and clear cookies for all tallyfy.com domains
SSO and password login conflictClear all sessions via the logout URL before switching methods
”Need admin approval” messageYour IT admin must approve Tallyfy in the identity provider settings