Skip to content

Improve clarity of AlexisHR SSO #1740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Improve clarity of AlexisHR SSO #1740

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7cacebb
Improve clarity of AlexisHR SSO
arrivant Sep 1, 2025
2e32f20
Modify email attribute source in AlexisHR tutorial
arrivant Sep 1, 2025
a564f91
Update alexishr-tutorial.md
arrivant Sep 1, 2025
e5967ff
Revise SSO configuration steps for AlexisHR
arrivant Sep 1, 2025
23c25e3
Adjust the naming of Configure AlexisHR SSO step
arrivant Sep 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 65 additions & 67 deletions docs/identity/saas-apps/alexishr-tutorial.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ ms.reviewer: CelesteDG
ms.service: entra-id
ms.subservice: saas-apps
ms.topic: how-to
ms.date: 03/25/2025
ms.date: 09/01/2025
ms.author: gideonkiratu
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and AlexisHR so that I can control who has access to AlexisHR, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---

# Configure AlexisHR for Single sign-on with Microsoft Entra ID

In this article, you learn how to integrate AlexisHR with Microsoft Entra ID. When you integrate AlexisHR with Microsoft Entra ID, you can:
In this article, you learn how to integrate AlexisHR with Microsoft Entra ID. When you integrate AlexisHR with Microsoft Entra ID, you can:

* Control in Microsoft Entra ID who has access to AlexisHR.
* Enable your users to be automatically signed-in to AlexisHR with their Microsoft Entra accounts.
Expand All @@ -30,20 +30,21 @@ The scenario outlined in this article assumes that you already have the followin

## Scenario description

In this article, you configure and test Microsoft Entra SSO in a test environment.
In this article, you configure and test SAML SSO between Microsoft Entra ID and AlexisHR in a test environment.

* AlexisHR supports **IDP** initiated SSO.
* AlexisHR supports **IdP-initiated** SSO.
* You will first create a **basic (mock) SAML configuration** in Microsoft Entra ID to obtain the Login URL and certificate, then configure SSO in AlexisHR, and finally return to Microsoft Entra ID to update the Identifier and Reply URL with the real values from AlexisHR.

## Add AlexisHR from the gallery

To configure the integration of AlexisHR into Microsoft Entra ID, you need to add AlexisHR from the gallery to your list of managed SaaS apps.

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Browse to **Entra ID** > **Enterprise apps** > **New application**.
1. In the **Add from the gallery** section, type **AlexisHR** in the search box.
1. Select **AlexisHR** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
2. Browse to **Microsoft Entra ID** > **Enterprise applications** > **New application**.
3. In the **Add from the gallery** section, type **AlexisHR** in the search box.
4. Select **AlexisHR** from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.

[!INCLUDE [sso-wizard.md](~/identity/saas-apps/includes/sso-wizard.md)]
[!INCLUDE [sso-wizard.md](~/identity/saas-apps/includes/sso-wizard.md)]

<a name='configure-and-test-azure-ad-sso-for-alexishr'></a>

Expand All @@ -53,96 +54,93 @@ Configure and test Microsoft Entra SSO with AlexisHR using a test user called **

To configure and test Microsoft Entra SSO with AlexisHR, perform the following steps:

1. **[Configure Microsoft Entra SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
1. **Create a Microsoft Entra test user** - to test Microsoft Entra single sign-on with B.Simon.
1. **Assign the Microsoft Entra test user** - to enable B.Simon to use Microsoft Entra single sign-on.
1. **[Configure AlexisHR SSO](#configure-alexishr-sso)** - to configure the single sign-on settings on application side.
1. **[Create AlexisHR test user](#create-alexishr-test-user)** - to have a counterpart of B.Simon in AlexisHR that's linked to the Microsoft Entra representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
1. **[Configure Microsoft Entra SSO](#configure-azure-ad-sso)** – to enable your users to use this feature.
2. **[Create and assign a Microsoft Entra test user](#create-an-azure-ad-test-user)** – to validate single sign-on.
3. **[Configure AlexisHR SSO](#configure-alexishr-sso)** – to configure single sign-on in AlexisHR.
4. **[Update Microsoft Entra SSO with real values](#update-azure-ad-sso)** – to replace the placeholder values with real ones.
5. **[Test SSO](#test-sso)** – to verify whether the configuration works.

<a name='configure-azure-ad-sso'></a>

## Configure Microsoft Entra SSO
## Configure Microsoft Entra SSO (initial mock setup)

Follow these steps to enable Microsoft Entra SSO.
Follow these steps to enable Microsoft Entra SSO with temporary values.

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Browse to **Entra ID** > **Enterprise apps** > **AlexisHR** > **Single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
2. Browse to **Microsoft Entra ID** > **Enterprise applications** > **AlexisHR** > **Single sign-on**.
3. On the **Select a single sign-on method** page, select **SAML**.
4. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

![Edit Basic SAML Configuration](common/edit-urls.png)

1. On the **Basic SAML Configuration** section, perform the following steps:
5. In the **Basic SAML Configuration** section, enter **placeholder values** for the first setup:
- **Identifier (Entity ID)**: `urn:auth0:alexishr:<YOUR_CONNECTION_NAME>`
- **Reply URL (Assertion Consumer Service URL)**: `https://auth.alexishr.com/login/callback?connection=<YOUR_CONNECTION_NAME>`

a. In the **Identifier** text box, type a value using the following pattern:
`urn:auth0:alexishr:<YOUR_CONNECTION_NAME>`
Example:
- Company: `acme`
- Date: `20250901`
- Identifier: `urn:auth0:alexishr:acme-20250901`
- Reply URL: `https://auth.alexishr.com/login/callback?connection=acme-20250901`

b. In the **Reply URL** text box, type a URL using the following pattern:
`https://auth.alexishr.com/login/callback?connection=<YOUR_CONNECTION_NAME>`
> [!NOTE]
> These values are placeholders only. After you configure AlexisHR SSO, you'll return to this page and replace them with the real **Audience URI** and **Assertion Consumer Service URL** values provided by AlexisHR.

> [!NOTE]
> These values aren't real. Update these values with the actual Identifier and Reply URL. Contact [AlexisHR Client support team](mailto:support@alexishr.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section.
6. In the **Attributes & Claims** section, set **Name ID format** to **Email address** and ensure the **Name ID** value is **user.email**.

1. AlexisHR application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
7. In the **SAML Signing Certificate** section, select **Certificate (Base64)** and **Download**. This file has *.cer extension and is PEM-encoded and will be needed later during the AlexisHR setup.

![image](common/default-attributes.png)
8. In the **Set up AlexisHR** section, copy the **Login URL** and **Logout URL** values. These values will also be needed in the AlexisHR setup.

1. In addition to above, AlexisHR application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre-populated but you can review them as per your requirements.

| Name | Source Attribute |
| ------------ | --------- |
| email | user.mail |

1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

![The Certificate download link](common/certificatebase64.png)

1. On the **Set up AlexisHR** section, copy the appropriate URL(s) based on your requirement.

![Copy configuration URLs](common/copy-configuration-urls.png)
> [!IMPORTANT]
> Testing will only work **after** you complete the AlexisHR setup and update the Identifier and Reply URL in Microsoft Entra ID with the real values.

<a name='create-an-azure-ad-test-user'></a>

[!INCLUDE [create-assign-users-sso.md](~/identity/saas-apps/includes/create-assign-users-sso.md)]

## Configure AlexisHR SSO

1. Log in to your AlexisHR company site as an administrator.

1. Go to **Settings** > **SAML Single sign-on** and select **New identity provider**.

1. In the **New identity provider** section, perform the following steps:

![Screenshot shows the Account Settings.](./media/alexishr-tutorial/account.png "Settings")
## Create and assign a Microsoft Entra test user

1. In the **Identity provider SSO URL** textbox, paste the **Login URL** value which you copied previously.

1. In the **Identity provider sign out URL** textbox, paste the **Logout URL** value which you copied previously.
[!INCLUDE [create-assign-users-sso.md](~/identity/saas-apps/includes/create-assign-users-sso.md)]

1. Open the downloaded **Certificate (Base64)** into Notepad and paste the content into the **Public x509 certificate** textbox.
<a name='configure-alexishr-sso'></a>

1. Select **Create identity provider**.
## Configure AlexisHR SSO

1. After creating identity provider, you receive the following information.
1. Log in to your AlexisHR company site as an Owner.
2. Go to **Settings** > **SAML Single sign-on** and select **New identity provider**.
3. In the **New identity provider** section:
- **Identity provider SSO URL**: paste the **Login URL** from Microsoft Entra ID.
- **Identity provider sign out URL**: paste the **Logout URL** from Microsoft Entra ID.
- **Public x509 certificate**: open the downloaded **Certificate (Base64)** file in a text editor and paste the **entire PEM content** (including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines) without modifying any line breaks.
4. Select **Create identity provider**.
5. After creating the identity provider, AlexisHR provides:
- **Audience URI**
- **Assertion Consumer Service URL**
These values will be used to update Microsoft Entra ID.

![Screenshot shows the SSO Settings.](./media/alexishr-tutorial/certificate.png "SSO configuration")
<a name='update-azure-ad-sso'></a>

1. Copy **Audience URI** value, paste this value into the **Identifier** text box in the **Basic SAML Configuration** section.
## Update Microsoft Entra SSO with real values

1. Copy **Assertion Consumer Service URL** value, paste this value into the **Reply URL** text box in the **Basic SAML Configuration** section.
1. Return to **Microsoft Entra admin center** > **Enterprise applications** > **AlexisHR** > **Single sign-on**.
2. Edit the **Basic SAML Configuration** section.
3. Replace the temporary placeholder values with:
- **Identifier (Entity ID)**: paste **Audience URI** from AlexisHR.
- **Reply URL (Assertion Consumer Service URL)**: paste **Assertion Consumer Service URL** from AlexisHR.
4. Save the changes.

### Create AlexisHR test user
<a name='create-alexishr-test-user'></a>

In this section, you create a user called Britta Simon in AlexisHR. Work with [AlexisHR support team](mailto:support@alexishr.com) to add the users in the AlexisHR platform. Users must be created and activated before you use single sign-on.
## Create AlexisHR test user

## Test SSO
1. Work with [AlexisHR support team](mailto:support@alexishr.com) to add a test user (for example, Britta Simon) in the AlexisHR platform.
2. Ensure the user is created and activated before testing single sign-on.

In this section, you test your Microsoft Entra single sign-on configuration with following options.
<a name='test-sso'></a>

* Select **Test this application**, and you should be automatically signed in to the AlexisHR for which you set up the SSO.
## Test SSO

* You can use Microsoft My Apps. When you select the AlexisHR tile in the My Apps, you should be automatically signed in to the AlexisHR for which you set up the SSO. For more information, see [Microsoft Entra My Apps](/azure/active-directory/manage-apps/end-user-experiences#azure-ad-my-apps).
1. In the **Microsoft Entra admin center**, go to the **AlexisHR** app and select **Test this application**. You should be automatically signed in to AlexisHR.
2. Alternatively, open [My Apps](https://myapps.microsoft.com), select the **AlexisHR** tile, and confirm that you are automatically signed in. For more information, see [Microsoft Entra My Apps](/azure/active-directory/manage-apps/end-user-experiences#azure-ad-my-apps).

## Related content

Expand Down