Authentication > Integrate Microsoft Entra ID SSO
Authentication and SSO
Single Sign-On integration
Section titled “Single Sign-On integration”Tallyfy includes free Single Sign-On (SSO) on any paid plan, and you set it up yourself. An org admin configures the connection, tests it, and turns it on from Settings > Organization > Security > SSO. No support ticket needed. Your team then logs in with existing corporate credentials from Microsoft Entra ID, Google Workspace, Okta, OneLogin, JumpCloud, or any SAML 2.0 provider. Most admins finish in about 30 minutes.
There’s more than just login. You can verify your email domain by DNS so new users auto-join the right org, sync your whole directory with SCIM so people are added and removed automatically, and enforce SSO-only access that blocks email and password logins. Owners and admins always keep a password fallback, so a broken identity provider can’t lock you out.
Where to set it up
Section titled “Where to set it up”Everything lives in one place. Sign in as an administrator, open Settings > Organization > Security, and you’ll find tabs for SSO, Domains, SCIM, and the security Activity log. Each tab is covered in its own guide below.
SSO benefits
Section titled “SSO benefits”| Benefit | What it means |
|---|---|
| Security | Apply your company’s existing security rules and MFA (an extra login check beyond a password) to Tallyfy |
| One login | Team members use their corporate username and password |
| Access control | Manage Tallyfy permissions from your identity provider |
| Auto-provisioning | New users get Tallyfy accounts on first SSO login (once your domain is verified) |
| Directory sync | SCIM adds, updates, and deactivates users automatically from your IdP |
| Consistent policies | Same password complexity and session rules across all systems |
| Less IT overhead | No more Tallyfy-specific password resets |
Set up SSO yourself
Section titled “Set up SSO yourself”The SSO wizard walks you through it in four steps. You don’t need to write any XML by hand.
- Pick your identity provider. Choose Okta, Microsoft Entra ID, Google Workspace, OneLogin, JumpCloud, generic SAML, or generic OIDC. Tallyfy shows you the exact SP values to copy into your IdP (the ACS URL and entity ID).
- Enter your IdP details. Use one of the three methods below.
- Test the connection. Tallyfy validates your metadata and certificate before it lets you go live, so you catch problems early instead of during a real login.
- Turn it on. Once the test passes, enable the connection. Your team can sign in through SSO right away.
Pick the per-IdP guide further down for screenshots and the exact field names in your provider.
Three ways to connect your identity provider
Section titled “Three ways to connect your identity provider”When you reach the “enter IdP details” step, Tallyfy gives you three ways to hand over your provider’s SAML metadata. They all end up in the same place, so use whichever your IdP makes easiest.
| Method | When to use it | What you paste |
|---|---|---|
| Metadata URL | Your IdP publishes a metadata link (most do). The easiest option. | The URL. Tallyfy fetches and parses it for you. |
| XML paste | Your IdP gives you a metadata file to download. | The full metadata XML, pasted into the box. |
| Manual entry | You’d rather type the values, or your IdP doesn’t export metadata. | The sign-in URL, issuer/entity ID, and signing certificate. |
With the metadata URL method, Tallyfy can re-read your IdP’s metadata later, which helps when your provider rotates its signing certificate.
Verify your domain first
Section titled “Verify your domain first”Before SSO can auto-join new people or be enforced org-wide, you prove you own your email domain. You do this by adding a DNS TXT record. A verified domain is the safety check that stops a stranger, whose own IdP happens to assert an @yourcompany.com address, from being auto-added to your org.
Domain verification is its own short setup. See Domain verification for the steps and what each verified domain turns on.
Sync users automatically with SCIM
Section titled “Sync users automatically with SCIM”SCIM connects Tallyfy to your identity provider’s directory so user accounts stay in sync without anyone clicking around. When someone joins a group in your IdP, they get a Tallyfy account. When they leave, their Tallyfy access is removed and the seat frees up. No more paying for ex-employees.
Turn it on under Settings > Organization > Security > SCIM. See SCIM provisioning for how to generate the token and map IdP groups to Tallyfy roles.
SSO as replacement for e-signatures
Section titled “SSO as replacement for e-signatures”SSO authentication creates audit trails that can replace e-signature tools for internal approvals.
Why skip traditional e-signatures for internal use?
- Extra cost per signature/user
- Separate system to manage
- Workflow interruption - users leave Tallyfy, sign elsewhere, then return
SSO-based approvals give you:
- No extra cost - included with paid Tallyfy plans
- Identity verification - corporate SSO confirms the approver’s identity
- Audit trail - every approval logged with timestamp and user identity
- No context switching - approvers complete tasks without leaving Tallyfy
- Legal compliance - meets requirements for internal corporate approvals in most jurisdictions
Common use cases: purchase orders, policy acknowledgments, budget authorizations, project sign-offs, compliance confirmations, HR approvals.
Enforcing SSO-only access
Section titled “Enforcing SSO-only access”You can lock your org down so SSO is the only way most people log in. Flip the Require SSO switch under Settings > Organization > Security > SSO. When enforcement is on:
- Email and password logins are turned off for regular members
- Manual member invites are blocked, so all users come through your identity provider
- Non-SSO login attempts redirect to your SAML login page
The switch stays disabled until you have a verified domain, because that’s what makes enforcement safe. Turning it on asks you to re-enter your password (a step-up check) and emails every org admin so changes are never silent.
The break-glass guarantee: org owners and admins keep their password login even under enforcement. If your identity provider goes down or a misconfiguration breaks SSO, an admin can still sign in with a password and fix it. You can’t accidentally lock your whole org out.
For the full enforcement walk-through and recovery steps, see SSO enforcement and break-glass. For security background, see the Compliance documentation on Mandatory Single Sign-On.
SSO authentication flow
Section titled “SSO authentication flow”Here’s what happens when someone logs in via SSO:
- User visits your org’s Tallyfy login link
- Tallyfy redirects to your identity provider (Entra ID, Google, etc.)
- User authenticates with corporate credentials and MFA
- Identity provider sends a SAML assertion back to Tallyfy
- Existing users are matched and logged in. First-time users from a verified domain get an account created automatically from identity provider data (email, first name, last name) when auto-join is on

Supported identity providers
Section titled “Supported identity providers”Microsoft Entra ID (formerly Azure Active Directory)
Section titled “Microsoft Entra ID (formerly Azure Active Directory)”Cloud identity and access management with conditional access and MFA.
Google Workspace (formerly G Suite)
Section titled “Google Workspace (formerly G Suite)”Identity platform for businesses using Gmail, Drive, and other Google tools.
Google Workspace Setup Guide →
Cloud-based identity service for enterprise SSO.
OneLogin
Section titled “OneLogin”Identity and access management with SSO capabilities.
JumpCloud
Section titled “JumpCloud”Cloud directory platform with SAML-based SSO.
Other SAML 2.0 providers
Section titled “Other SAML 2.0 providers”Any SAML 2.0-compatible identity provider works. Pick the Generic SAML option in the wizard and use the metadata URL or XML paste method. OIDC providers work too via the Generic OIDC option. If your provider does something unusual, Tallyfy support can help you check compatibility.
Requirements for SSO setup
Section titled “Requirements for SSO setup”- A paid plan - SSO and SCIM are available on any active paid plan
- Admin access in both Tallyfy and your identity provider
- A verified domain if you want auto-join or SSO-only enforcement (login alone works without one)
- Attribute mapping - email, first name, and last name fields from your identity provider to Tallyfy
- Testing - the wizard’s built-in test, plus a check with different user types before rolling out org-wide
Getting started
Section titled “Getting started”- Sign in as an administrator and open Settings > Organization > Security > SSO
- Pick the setup guide for your identity provider above and follow it alongside the wizard
- Configure the identity provider side, then paste your metadata into Tallyfy
- Run the connection test, then enable SSO
- (Optional) Verify your domain, turn on SCIM, and switch on enforcement
- Test with users from different departments and roles, then tell your team about the new login
Troubleshooting authentication issues
Section titled “Troubleshooting authentication issues”Authentication loops
Section titled “Authentication loops”If you’re stuck in a login loop or can’t get past the login screen, visit https://account.tallyfy.com/logout ↗ to clear all sessions. Then clear your browser cookies for tallyfy.com, wait 10-15 seconds, and log in again.
For more details, see the authentication loop resolution guide.
Common SSO issues
Section titled “Common SSO issues”| Issue | Solution |
|---|---|
| Login loops with SSO | Visit https://account.tallyfy.com/logout ↗, then re-authenticate |
| Can’t switch orgs | Force logout and clear cookies for all tallyfy.com domains |
| SSO and password login conflict | Clear all sessions via the logout URL before switching methods |
| ”Need admin approval” message | Your IT admin must approve Tallyfy in the identity provider settings |
- Domain verification
- Integrate Google Workspace
- Integrate JumpCloud SSO
- Integrate Microsoft Entra ID SSO
- Integrate Okta SSO
- Integrate OneLogin SSO
- SCIM provisioning
- SSO enforcement and break-glass
Related articles
Section titled “Related articles”Authentication > Integrate Okta SSO
Authentication > SSO enforcement and break-glass
Authentication > Integrate OneLogin SSO
Was this helpful?
- 2026 Tallyfy, Inc.
- Privacy Policy
- Terms of Use
- Report Issue
- Trademarks