Single Sign On (SSO)
ScheduleLeave supports all major SSO providers, as long as they support the SAML2 protocol.
To have the SSO configuration enabled, please contact ScheduleLeave support on:
To setup SSO for Microsoft Azure AD, go into your Microsoft Entra page, then navigate to the Enterprise applications page and click on 'Add new application':
Not using Entra? Please contact ScheduleLeave support on:
Within Entra, you will then need to click on 'create your own application'
Then provide a name and click 'Create' at the bottom.
Once created, you will see this screen where you will need to click on 'Set up single sign on':
Then select the SAML option:
Once selected, scroll down and you should see the 'App federation metadata url', where you will need to click the clipboard copy icon to the right of the box.
Once this has been copied, go into ScheduleLeave into the Admin > Company Settings page and click on 'Manage SSO':
Then paste the previously copied 'App federation metadata url' into the 'Metadata Url' box. You can also turn on 'Enable auto update of metadata', to ensure this is updated for your automatically to prevent future SSO login issues.
Within this page, there is an 'Only allow sso logins' option too, which prevents user/password logins from being possible. We would reccomend this is enabled only after all the testing has been successful.
On this page, you can then see and copy the 'Company SSO login url' from the bottom and then navigate back to Entra.
Within the Entra 'Set up Single Sign-On with SAML' page you previously had open, you will need to click 'edit' on the section titled 'Basic SAML Configuration', followed by setting the 'Identifier (Entity ID)' to the URL just copied, as well as 'Reply URL (Assertion Consumer Service URL)' to the URL copied but adding '/acs' to the end:
The default attributes and claims should stay as default, they should look as follows:
To try and perform a test login, you will need to assign users/groups within the 'users and groups' section when editing the Entra application (added for ScheduleLeave). By default, no users will be able to login via SSO to the newly created application:
You should now be able to perform a login, by logging out of ScheduleLeave and pasting in the login URL from the SSO page:
Once this setup is complete, ensure all users have been added under users/groups within Entra who need access to ScheduleLeave.
You can also 'Allow SSO only logins' after it has been tested successfully, if you wish to block user/pass logins.
If you get stuck along the way, please contact ScheduleLeave support on: