If you have already created your custom domain:

• From the Setup app, General section, click Custom Domains
• Click on the name of the custom domain
• Click on the Single Sign On tab

The Single Sign On tab is divided into three sections: Single Sign On, Security and Identity.

The Single Sign On section:

• Friendly name of the authentication provider. The label displayed to users in the login method selector (e.g. "Azure", "Google Workspace").
• Authentication provider login URL. The IdP SSO endpoint to which Altamira sends authentication requests. Corresponds to the Single Sign-On Service URL field in the IdP's SAML metadata.
• Authentication provider logout URL. The IdP endpoint for federated logout. Corresponds to the Single Logout Service URL field in the IdP's SAML metadata. Required to enable Single Logout (SLO).
• Service provider initiated binding. The HTTP binding used by Altamira to send the login request to the IdP, when a user accesses the SSO domain directly without being authenticated. HTTP POST is the default and works with most providers.
• Identity provider initiated binding. The HTTP binding used by the IdP to send the SAML response to Altamira, when the session is started from the IdP (e.g. from the Altamira HRM application button on the Microsoft 365 homepage). HTTP POST is the default and works with most providers.
• Single Logout binding. The HTTP binding used for SAML logout messages, both when logout is initiated by Altamira and when initiated by the IdP. Available values: HTTP POST / HTTP Redirect. Check the value supported in the IdP's SAML metadata.
• Show SSO authentication on the login page. If enabled, the SSO login button is shown on the login page.
• Show local authentication on the login page. If enabled, the username and password login form is also shown. Useful during testing or for users not covered by SSO.
• Allow users to log out locally. If enabled, logging out disconnects the user only from the Altamira session without notifying the IdP. If disabled, logout triggers the federated Single Logout procedure with the IdP.

The Security section:

• Identity provider certificate for response signing. The IdP's public certificate used by Altamira to verify the signature of received SAML assertions. Usually downloadable from the IdP's XML metadata. Only the public key is required.
• Certificate for response encryption. The certificate used by the IdP to encrypt SAML assertions. Optional: only required if the IdP is configured to encrypt assertions. Only the public key is required.
• Certificate for request signing. The certificate with which Altamira signs requests sent to the IdP. Requires a certificate with a private key. You can generate a self-signed certificate by clicking New → Generate self-signed certificate.
• Sign SSO requests. Whether to sign SAML requests and which signing algorithm to use. Recommended value: Sign requests using SHA256.

The Identity section:

• Synchronize groups. If enabled, groups are synchronized from the IdP on every login. You will need to configure your IdP to send group membership as a claim. See Synchronizing groups.
• Automatically provision new users. If enabled, Altamira HRM automatically creates a new user when authentication with the IdP succeeds but the user does not yet exist in Altamira HRM. See Self provisioning.
• Form for creating the employee. Select the form to use when creating the employee profile on first login. Any form built on the Employee entity can be selected. See Self provisioning.
• Username source. Defines how Altamira retrieves the user identifier from the SAML assertion. If Subject NameIdentifier of the assertion is selected, Altamira expects the response to contain a Subject element with a NameIdentifier. If Use claim is selected, Altamira will read the username from the claim specified in the Name of the claim containing the username field.
• Name of the claim containing the username. The full na