NOTE: Microsoft Azure AD has recently been renamed to Entra ID. All Hayylo Single Sign On functionality remains unchanged.
Hayylo supports Single Sign On (SSO) with Microsoft Azure Active Directory (Azure AD). With this feature, you can control your users' access to Hayylo, directly from your Active Directory, and your users can use their existing credentials.
Please follow the steps below to configure this feature.
1. Login to your Azure portal (https://portal.azure.com/) and click on Azure Active Directory in the left menu. Then click on Enterprise applications.
2. Click on New application.
3. Click on Create your own application.
4. Name your SSO application (eg, Hayylo SSO), select Integrate any other application you don't find in the gallery, and click on Create.
5. In your newly created application, click on Single sign-on.
6. Click on SAML.
7. In this next screen (Set up Single Sign-on with SAML), we will retrieve the Azure details we need for Hayylo, and enter the Hayylo details we need for Azure. Click on the Edit icon in the first section (Basic SAML Configuration).
8. Enter the following values and press Save.
Identifier (Entity ID): https://[your company subdomain].hayylo.com
(Set this value as the default)
Reply URL (Assertion Consumer Service URL): https://[your company subdomain].hayylo.com/user/sso/login
Sign on URL: https://[your company subdomain].hayylo.com/user/sso/login
Logout URL: https://[your company subdomain].hayylo.com/user/sso/logout
Note: Hayylo support may provide different values for testing purposes
9. Note the following values; you will need to provide these to Hayylo support, who will configure SSO in your account.
Login URL, Azure AD Identifier, Logout URL
Additionally, download the Certificate (Base64) file; you will also need to provide this to Hayylo support.
10. Lastly, you will need to provide access to users who you want to access Hayylo. Note: these users' Azure AD email address must match the email address of the user account in Hayylo. Click on Users and groups.
11. Click on Add user/group.
12. Click on None Selected then find and select the users you want to add on the right. Then click Assign. Note, for each of these users, there must be a corresponding user in Hayylo with matching email address.
13. Congratulations! You have now configured your Azure AD account to provide SSO for Hayylo! At this point, please provide the values and file collected in Step 9 to Hayylo support (support@hayylo.com) who will complete the account configuration for you.
Important Information:
- SSO is only supported for Hayylo web users, it is not currently available for users of the mobile apps.
- Hayylo does not create users in Azure AD, and Azure AD does not create users in Hayylo. Users must be created in each system separately and the account email address must match for SSO to work for the user.
- User types and groups are still managed in Hayylo.
- When SSO is switched on for your account, all web users in your Hayylo account must login via SSO. Password authentication is not available when SSO is switched on.
- SSO can be switched off (and back on) by contacting Hayylo support.
- When a user signs out of Hayylo, they will be signed out of all off their other logged-in applications in the current browser, that use the same Azure AD account (such as Office 365 online).
- To ensure all Hayylo users are authenticated with Azure AD as soon as possible, you should ask all users to logout of Hayylo before SSO is turned on for your account.
- SSO is supported for the following Hayylo user types: Global Admin, Company Admin, Company Manager, Marketing User, Service User, Case Manager
- In some cases, the Azure account may be configured such that the following error is encountered on some Edge browsers: "Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.". In this case, Hayylo can configure the integration to omit the RequestedAuthnContext parameter which typically solves the problem.
Certification Expiration
Signing certificates will typically last for 3 years and must be replaced at this point. Your Microsoft administrator should receive a reminder email, regarding this, 1 month before the expiry date. To avoid any downtime with your Hayylo account, please plan for this replacement date and contact Hayylo support to organise for the new certificate to be applied to your account at a suitable time (eg, outside of business hours).