With SSO, you connect anny to your organization's identity system so that users can log in with their existing company credentials. This simplifies the login process, reduces manual user management, and creates a shared foundation for advanced features like Attribute Mapping. This article is aimed at admins and IT managers who want to decide which SSO components they need in anny and how they interact.
Who is this feature for?
SSO in anny is especially suited for organizations that want to centrally manage access and seamlessly connect internal booking areas with existing user accounts.
Where to find this feature in anny
You can find the SSO-related settings in your Account settings under the SSO & Security section.
Open the Account settings of your anny account.
Go to the SSO & Security section.
There you will find the configuration for SSO as well as related areas like SCIM and Attribute Mapping.
You can also create mapping rules in this same context.
Important: For Attribute Mapping to work, SSO must already be actively set up. Without an active SSO connection, the required attributes are usually not reliably available.
How the logic works
SSO controls authentication in anny. Users log in using an external Identity Provider like Microsoft 365, Google Workspace, or another SAML 2.0 system.
SCIM is completely separate. SCIM handles the automatic provisioning and synchronization of user accounts in the background and is not the same as the actual login.
Attribute Mapping uses the attributes or groups provided by the Identity Provider to specifically assign users to communities in anny.
Overview: The involved elements
Element | Description |
Identity Provider (IdP) | The external system that centrally manages the identities of your users (e.g., Microsoft Entra ID, Google Workspace, Okta). |
SAML 2.0 | The standard protocol that anny uses to perform secure login (Single Sign-On) between your IdP and anny. |
OAuth2 | An alternative protocol for secure login and authorization. Note: The setup of OAuth2 can currently only be handled by anny Support for you. |
SCIM (User Provisioning) | A separate background process (backchannel) that automatically creates, updates, or deactivates users in anny without them having to log in. |
Attribute Mapping | The translation rule that determines which data from the IdP (e.g., name, department) is written into which fields in anny. |
Setting up SSO protocols in anny
The SSO setup (SAML 2.0)
Setting up generic SAML 2.0 (Okta, Auth0, etc.)
Using federated SAML 2.0 in anny
Attribute Mapping
Through Attribute Mapping, you can assign user properties from your IDP (user management) to anny communities. This allows members to be automatically assigned (auto-join) to the respective internal booking areas (communities).
SSO Troubleshooting
404: Page not found
404: Page not found
If you encounter this error, check if the Identity Provider has been activated. Activate the Identity Provider by clicking the three dots > Activate.
Microsoft Azure: AADSTS50105
Microsoft Azure: AADSTS50105
This error occurs when users need to be explicitly added to the application in Microsoft but haven't been added yet. There are two ways to fix this issue:
1. Do not require user assignment Go to the application in Microsoft Azure and click on Properties. Set the Assignment required option to No.
2. Assign users to the application You can add the specific users who are allowed to log in via the application. To do this, go to your application in Microsoft Azure and click on Users and groups. Add the users here who should be granted access.
Signature missing
Signature missing
This error means that the SAMLResponse, which is sent as a reply from the Identity Provider to anny, is not signed. We always require a signed SAMLResponse. Ensure that the signature is added in your IDP.
Microsoft: To enable the signature in Microsoft Azure, go to your application > Single sign-on > SAML Certificates > Edit. Make sure that the Signing Option is set to Sign SAML response and assertion.
Email address missing
Email address missing
When logging in as an M365 administrator via the wayfless link or by clicking the Test Connection button, it is important to note which user you are currently logged in with in M365. An administrator account without an Exchange/Outlook license and without its own email address cannot log in to anny. First, switch to your regular M365 account and perform the login process again.
Network error due to incomplete attribute mapping
Network error due to incomplete attribute mapping
Generally, no attribute mapping is required for the SSO login. However, it can be used later for automatic assignment to booking areas/roles. Mapping rules without content or assignment can lead to errors during login, as anny attempts to apply the rules during the login process. Remove the created rules and test the login again.
User is not mapped by groups
User is not mapped by groups
If individual users are not correctly assigned via attribute mapping, the reason in Microsoft 365 might be that they belong to too many groups, which prevents us from reading the group data (group overage). You can find a solution for this here.