All Collections
Settings
Security
Set up Single Sign-On (SSO) for secure authentication
Set up Single Sign-On (SSO) for secure authentication

Make logging in simple and secure for your team

Support Team avatar
Written by Support Team
Updated over a week ago

Intro

Ledgy’s SAML-based Single Sign-On (SSO) feature allows your users to log in through your identity provider (IdP). This makes logging in simple and secure for your team. Ledgy also supports SCIM.

Note: SSO is only available to customers on the Enterprise plan.

Identity providers we support

Ledgy’s SSO integration has been successfully tested with Okta, Azure AD, Google, OneLogin, and JumpCloud. Other identity providers should also work but aren’t explicitly supported. If you have any issues or requests, please reach out to [email protected]

How SSO is enforced at Ledgy

Ledgy uses SAML 2.0 and supports both Service Provider (SP) and Identity Provider (IdP) initiated flows.

Once SSO is configured and enabled:

  • SSO will be enforced for any user whose stakeholder has an email matching your SSO corporate domain. Stakeholders with an email not matching the domain will not be enforced. This allows external collaborators (such as investors) to retain access.

  • SSO is enforced for all stakeholders matching your domain and cannot be limited to collaborators at this time.

  • Other login methods such as email and password are disabled when SSO is enforced.

  • When SSO is enabled, new users must accept their invitation using the SSO-enforced stakeholder email. Users cannot change certain details such as email, name, and address (these can be synced with the identity provider using SCIM).

  • We can manually add users to an “Allow” or “Exclude” list that limits SSO enforcement for testing purposes. Talk to your CX manager if you want to do this.

  • If a user changes their email and it doesn’t match the SSO-enforced stakeholder email, that user will not have SSO enforced. However, SSO-enforced users cannot change their email, so this is only possible if the user changes their email before SSO is enabled.

  • When SSO is enabled, Ledgy’s native 2FA feature will not be used. If you want to enforce 2FA you can do so through your identity provider.

  • Ledgy can support multiple SSO domains if you want.

Getting started

If you’d like to use SSO please reach out to your CX manager, since the setup process cannot be completed by the company admin alone. You’ll first need to configure your identity provider (instructions below) and then pass the details to your CX manager to get everything fully configured on the Ledgy side.

Once configured, you can enable SSO in your Company Settings. Please note that affected users will receive an email notification telling them that SSO is now enforced.

Your organization slug

You’ll need to enter an <orgSlug> in the configuration steps below. We recommend simply using your company name in lowercase letters. For example, Unicorn Co. would translate to unicornco.

Azure AD guide

Ledgy is available as a pre-approved enterprise application in Azure Active Directory (AAD) marketplace.

  1. Follow the setup guide in the Azure marketplace: https://learn.microsoft.com/en-gb/azure/active-directory/saas-apps/ledgy-tutorial

  2. Send us the resulting App Federation Metadata URL.

  3. Once we’ve configured your SSO integration on the Ledgy side, you can enable SSO in Company Settings.

Okta guide

  1. Go to your admin panel and select Applications:

  2. Click Create App Integration:

  3. Select SAML 2.0 and click Next:

  4. Enter “Ledgy” as the App name and click Next:

  5. Fill out the SAML Settings as follows, replacing <orgSlug> with your organizational slug:

    • Single sign-on URL: https://app.ledgy.com/auth/saml/<orgSlug>/acs

    • Audience URI (SP Entity ID): https://app.ledgy.com/auth/saml/<orgSlug>/metadata.xml

  6. Fill out the attribute statements as follows and click Next:

    • id: user.id

    • email: user.email

    • firstName: user.firstName

    • lastName: user.lastName

  7. Fill out the form as follows and click Finish:

  8. From the Sign On tab of your new Ledgy application, click on View IdP metadata, and send us the resulting XML file:

  9. From the Assignments tab of your new Ledgy application, assign whoever should have access to Ledgy via SAML SSO:

  10. Once we’ve configured your SSO integration on the Ledgy side, you can enable SSO in Company Settings.

Google guide

  1. From the Google Admin console, navigate to Apps > Web and mobile apps > Add app and then click Add custom SAML app:

  2. Enter “Ledgy” as the App name:

  3. Download the SSO metadata XML file and send it to us:

  4. Configure the Service provider details as follows:

    • ACS URL: https://app.ledgy.com/auth/saml/<orgSlug>/acs

    • Entity ID: https://app.ledgy.com/auth/saml/<orgSlug>/metadata.xml

    • Signed Response: ****true (we require both signed assertions and responses)

    • Name ID format: ****Email

    • Name ID: Primary Email

  5. Configure the standard Attribute Mapping as follows:

    • First name: firstName

    • Last name: lastName

    • Primary email: email

  6. On the next screen, click User access to assign whoever should have access to Ledgy via SAML SSO

  7. Check ON for everyone and click Save:

  8. Once we’ve configured your SSO integration on the Ledgy side, you can enable SSO in Company Settings.

OneLogin guide

  1. Create a ‘SAML Custom Connector (Advanced)’ Application:

  2. Fill out the SAML Settings as follows, replacing <orgSlug> with the organisational slug:

    • Params:

      • ACS URL: https://app.ledgy.com/auth/saml/<orgSlug>/acs

      • ACS URL Validator: https://app.ledgy.com/auth/saml/<orgSlug>/acs

      • Audience URI (SP Entity ID): https://app.ledgy.com/auth/saml/<orgSlug>/metadata.xml

  3. Fill out the attribute statements as follows:

  4. Fill out the SSO section as follows:

  5. From the ‘More Actions’ dropdown of your new Ledgy application, click on ‘SAML metadata’, and send us the resulting XML file so we can configure your SSO on our side:

JumpCloud guide

  1. Fill out the Single Sign-On Configuration as follows, replacing <org-id> with the organisational slug:

    • Params:

      • IdP Entity ID: https://app.ledgy.com/auth/saml/<org-id>/metadata.xml

      • SP Entity ID: https://app.ledgy.com/auth/saml/<org-id>/metadata.xml

      • ACS URLs: https://app.ledgy.com/auth/saml/<org-id>/acs

      • ACS URL Validator: https://app.ledgy.com/auth/saml/<org-id>/acs

      • Signature Algorithm: RSA-SHA256

  2. Fill out the attribute statements as follows:

  3. Click on ‘Export Metadata’, and send us the resulting XML file so we can configure your SSO on our side:

Setting up with other providers

If you use a different identity provider, you should be able to follow a similar process of setting up a Ledgy app in your provider and sharing the resulting metadata XML file with us.

OIDC support

In addition to SAML, Ledgy also supports OpenID (OIDC), an alternative authentication protocol. When setting up the Ledgy app in your identity provider, choose OIDC instead of SAML.

Okta OIDC

  1. Go to your admin panel and select applications:

  2. Select Create App Integration:

  3. Select OIDC - OpenID Connect and Web Application and click Next:

Related Articles
How to set up and use 2FA (two-factor authentication)?
Set up SCIM for automatic user provisioning
Did this answer your question?