For Azure AD SSO, you will need to create an Azure SAML application, configure that application, and configure Altruistiq SAML settings to work with that application.
Requirements
You must be an organisation Admin in the top level Business Unit of your organisation to use this feature.
Setup Guide
Part 1: Setting up SSO as the preferred login method in Altruistiq
Go to https://app.altruistiq.com/organization/settings (Organization settings)
Select Authentication from the side menu
Change the authentication to
Azure SAML, you will see the below screen
Part 2: Creating an Azure SAML application
Go to Azure AD home page (https://aad.portal.azure.com/)
Select “Enterprise Applications” from the side menu
Click on “+ New Application” button and search for
Azure AD SAML ToolkitEnter the name of your new application, for example Altruistiq.
Once created, click on “Single sign-on” in the side menu
Select SAML
Click on “edit” in the “Basic SAML Configuration” section
In the side panel, enter the
Identifier, theReply URL(click on the blue link “Add reply URL”) and theSign On Urlas provided by Altruistiq under your organisation settings (the details from Part 1, Step 3)
Part 3: Configuring your Azure SAML application in Altruistiq
From section “SAML Certificates” download the
Certificate (Base64)and copy the contents of that file in the Altruistiq Authentication settings (the page from Part 1, Step 3) in the "Certificate Form" field.From the section “Set up Altruistiq” copy the
Login Urland paste that in the Altruistiq Authentication settings (the page from Part 1, Step 3) in the "Login Url" form field.Finally in the Azure AD application, go back to the “Overview” page, and copy the
Application ID, and paste this in the Altruistiq Authentication settings (the page from Part 1, Step 3) in the "Application ID" form field.Click to save your settings in Altruistiq
Controlling Entitlement
By default Entitlement is controlled by Azure. You can configure Azure (your identity provider - IdP) or Altruistiq to control entitlement by selecting the additional setting below.
When you set up SSO with Altruistiq-controlled entitlement, here's what it means for your organisation:
How it works
Authentication happens through your identity provider (IdP)
Users log in using their company credentials (e.g., Microsoft, Okta)
Your IdP verifies who the user is
Access and permissions are managed in Altruistiq
We control who can access the platform
We manage user roles and permissions
Your admins invite users and assign roles within our platform
What this means for you
For admins
Invite users through the Altruistiq platform (not your IdP)
Manage all user roles and permissions in Settings > Manage users
Remove access by deactivating users in Altruistiq
Your IdP only handles the login process
For users
Log in with your company credentials
Access depends on being invited to Altruistiq by an admin
Your permissions are set by your Altruistiq admin
Key differences from IdP-controlled entitlement
Aspect | Altruistiq-controlled | IdP-controlled |
User provisioning | Manual through Altruistiq | Automatic from IdP |
Role assignment | In Altruistiq platform | Defaults to no access. Can be upgraded in Altruistiq. |
Access removal | Deactivate in Altruistiq | Remove from IdP group |
User management | Centralised in Altruistiq | Centralised in IdP |
Common questions on entitlement
Can users access Altruistiq just because they're in our IdP? No. Users must be explicitly invited by an Altruistiq admin, even if they can authenticate through your SSO.
What happens if we remove someone from our IdP? They can't log in anymore, but you should also deactivate them in Altruistiq to ensure proper access control.
Can we switch to IdP-controlled entitlement later? Yes. Contact your customer success manager to discuss migration options.
Disabling credentials login for Admin Users
All Altruistiq SSO maintains a credentials login for Admins. This allows Admins to log into Altruistiq account with their credentials to fix misconfigured SSO settings. To disable this workaround for increased security select Disable Altruistiq log in with credentials for admins and save the settings.