SSO
Interlynk supports SAML 2.0-based single sign-on (SSO) for centralized identity management. This allows users to authenticate through your organization's identity provider (IdP) instead of managing separate credentials.
Supported Identity Providers
Interlynk's SAML implementation is built on the OneLogin SAML toolkit and is compatible with any SAML 2.0 identity provider. The primary documented setup is for Azure Entra ID (formerly Azure Active Directory).
SAML Setup with Azure Entra ID
Prerequisites
An Azure Entra ID tenant with administrative access.
An Interlynk organization with Admin permissions.
The ability to create Enterprise Applications in Azure Entra ID.
Step 1: Create an Enterprise Application in Azure
Sign in to the Azure Entra ID portal.
Navigate to Enterprise Applications > New Application > Create your own application.
Name the application (e.g., "Interlynk SSO").
Select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.
Step 2: Configure SAML in Azure
In the application, navigate to Single sign-on > SAML.
Configure the Basic SAML Configuration:
Identifier (Entity ID)
Enter the value from the Interlynk SSO configuration modal
Reply URL (ACS URL)
Auto-generated in Interlynk: https://api.interlynk.io/auth/saml/callback?tenant=YOUR_TENANT
Sign on URL
(Optional) Your Interlynk dashboard URL
Configure Attributes & Claims (see attribute mapping table below).
Download the App Federation Metadata URL from the SAML Signing Certificate section.
Step 3: Configure SAML in Interlynk
Navigate to Settings > Organization > Integrations.
Click SSO.
Fill in the following fields:
Tenant
A unique identifier for your organization's SAML tenant (e.g., your domain name)
Identifier / Entity ID
The entity ID configured in Azure (must match exactly)
Reply URL / ACS URL
Auto-generated: https://api.interlynk.io/auth/saml/callback?tenant=YOUR_TENANT (read-only)
App Federation Metadata URL
The metadata URL from Azure Entra ID
Default User Role
The role assigned to users who authenticate via SSO for the first time
Click Save.
Step 4: Test SSO
After configuration, attempt to sign in using SSO.
You will be redirected to your Azure Entra ID login page.
After successful authentication, you will be redirected back to Interlynk.
Verify that the user's name, email, and role are populated correctly.
SAML Attribute Mapping
Interlynk requires the following attributes in the SAML assertion:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Name
Yes
User's full display name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Yes
User's email address (used as the unique identifier)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
First Name
Recommended
User's first name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Last Name
Recommended
User's last name
Azure Entra ID Default Claims
Azure Entra ID provides these attributes by default. Verify they are included in the Attributes & Claims section of your Enterprise Application:
name
user.displayname
emailaddress
user.mail or user.userprincipalname
givenname
user.givenname
surname
user.surname
Auto-Registration
When a user authenticates via SSO for the first time and does not have an existing Interlynk account:
An Interlynk account is automatically created using the email and name from the SAML assertion.
The user is automatically associated with the organization linked to the SAML tenant.
The user is assigned the Default User Role configured in the SSO settings.
No separate invitation is required.
Auto-registration is enabled by default when SSO is configured.
Enforcing SSO
To enforce SSO as the only authentication method:
Configure and test SSO as described above.
Verify that all team members can successfully authenticate via SSO.
Contact Interlynk support to disable password-based login for your organization.
Before enforcing SSO, ensure at least one admin user has been verified through the SSO flow. If SSO is misconfigured after enforcement, admin users will be locked out.
Recovery Plan if Misconfigured
If SSO is misconfigured and users cannot sign in:
If password login is still enabled: Sign in with email and password, then correct the SAML configuration.
If SSO is enforced: Contact Interlynk support to temporarily disable SSO enforcement so you can reconfigure.
Common fixes:
Verify the Tenant value matches exactly between Azure and Interlynk.
Verify the Entity ID matches exactly.
Ensure the ACS URL is correctly configured in Azure.
Re-download and re-enter the App Federation Metadata URL if the certificate was rotated.
Security Best Practices
Use a strong default role: Set the default SSO user role to Viewer to follow least-privilege principles. Promote users to higher roles after onboarding.
Require MFA in your IdP: Interlynk defers authentication to your identity provider — enable MFA in Azure Entra ID for an additional security layer.
Audit SSO users: Periodically review the user list to ensure only authorized personnel have access.
Certificate rotation: When rotating SAML signing certificates in Azure, update the metadata URL or re-import the metadata in Interlynk.
Separate admin access: Maintain at least one admin user with password-based login as a break-glass account in case SSO fails.
Common Misconfigurations
Tenant mismatch
SSO redirects but authentication fails
Ensure the tenant value in Interlynk matches the Azure configuration
Entity ID mismatch
SAML assertion rejected
Verify the Identifier/Entity ID is identical in both Azure and Interlynk
ACS URL wrong
Azure returns an error after authentication
The ACS URL is auto-generated — verify the tenant is correct
Missing email claim
User created without email
Ensure emailaddress claim is mapped in Azure Attributes & Claims
Certificate expired
SAML assertion signature validation fails
Rotate the certificate in Azure and update the metadata URL in Interlynk
Default role set to Admin
All new SSO users get admin access
Change the default SSO user role to Viewer
Last updated