Calendly SAML Single Sign-on (SSO)

This topic describes how to configure Calendly for SSO using CyberArk Identity , and how to set up Calendly for provisioning.

Calendly is a scheduling automation platform. Calendly unites teams, invitees, and data, to simplify meeting scheduling.

Calendly supported SSO features

Calendly supports the following features:

  • SP-initiated SSO

  • IdP-initiated SSO

  • SCIM-based user provisioning

Configure CyberArk Identity SSO for Calendly

Before you begin

Before you begin, make sure you have the following prerequisites:

  • You have a Calendly account on the Enterprise plan

  • You are a Calendly account owner or admin

  • You have CyberArk Identity users for SSO

Step 1: Add the Calendly app to the Identity Administration portal

  1. Go to Admin Portal > Apps > Web Apps and select Add Web Apps.

  2. In the app catalog window, search for the Calendly app and select Add. Confirm that you want to add the application.

  3. Close the app catalog window to go to the Calendly app configuration page.

Step 2: Add permissions to the Calendly app

  1. Go to the Permissions tab.

  2. Select the users, groups, or roles to assign to the Calendly app. Select Add.

  3. Select Save.

Step 3: Enable Single Sign-on in your Calendly account

  1. Log into your Calendly account.

  2. In the top-right corner, select Account, and select Organization Settings from the list.

  3. On the left side of the page, select Single sign-on.

  4. Under Step 1: Enter your identity provider information, enter the following details from the Calendly Trust page in the Identity Administration portal.

    Calendly field

    		 Identity Administration portal field

    Entity ID

    Identity Provider URL that issues the SAML2 security token.

    Identity provider's SAML HTTP Request URL

    Identity Provider Login Page.

    X.509 certificate for SAML authentication

    Signing Certificate

    • Download the certificate and upload it to Calendly using the Upload Certificate button.

  5. Click Save & continue.

  6. Under Step 2: Enable SSO for yourself, copy the following details and paste them into the corresponding fields in the Calendly Trust page of the Identity Administration portal.

    Calendly field Identity Administration portal field

    Audience URL

    SP Entity ID / SP Issuer / Audience

    ACS URL

    Assertion Consumer Service (ACS) URL

    Default Relay State

    Relay State

  7. Click Save.

  8. Click Test connection. If successful, a success banner appears at the top of the page.

  9. Under Step 3: Enforce for your organization, select Enforce SAML SSO for my organization. All users are logged out, and are required to re-authenticate using CyberArk Identity.

Step 4: Add single sign-on users to Calendly

  1. Select Add Users from the Calendly Admin Management page.

  2. Enter email addresses and event types for the new users.

  3. A popup window appears, confirming the number of users you are adding, and their cost. Click Add seats to confirm.

    New users receive an invitation to join your Calendly organization. SSO is enabled by default.

Be sure to add permissions to the Calendly app for existing or new users .

Step 5: Test the Calendly SSO integration

To test SP-initiated SSO:

  1. Open the Calendly login page.

  2. Enter your email address. Select Log in.

  3. Select Log in with single sign-on. After successful authentication through CyberArk Identity, the page redirects back to Calendly and displays the web interface.

To test IdP-initiated SSO:

  1. Launch the Calendly web application from the Identity User Portal. The page redirects to Calendly and displays the web interface.

Calendly SCIM provisioning

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.

Before you begin

Before you begin, make sure you have the following prerequisites:

Step 1: Enable SCIM provisioning in Calendly

  1. Log into your Calendly account.

  2. In the top-right corner, select Account, and select Organization Settings from the list.

  3. On the left side of the page, select Single sign-on.

  4. Under Optional: Connect SCIM, toggle on SCI provisioning.

  5. Select copy base URL to copy the SCIM base URL. This will be needed later.

  6. Select the appropriate value for When do you want this token to expire? Then select Generate new bearer token, Copy token. This will be needed later.

Step 2: Enable SCIM provisioning in CyberArk Identity

  1. Open the Calendly app configuration page in CyberArk IdentityIdentity Administration portal.

  2. Go to the Provisioning tab.

  3. Select Enable provisioning for this application.

  4. Enter the SCIM Service URL and Bearer Token.

    These are the values you copied from Calendly in Enable SCIM provisioning in Calendly.

    CyberArk Identity Field Calendly Field

    SCIM Service URL

    Base URL

    Bearer Token

    Bearer Token

  5. Click Verify.

  6. Under Sync Options, specify how CyberArk Identity handles situations when it determines that the user already has an account in the target application.

    How CyberArk Identity determines duplicate user accounts:

    If the user accounts in CyberArk Identity and the target application match for the fields that make the user unique, then CyberArk Identity handles the user account updates according to your instructions. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that CyberArk Identity uses to match user accounts.

    • Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from CyberArk Identity).

    • Do not sync (no overwrite): Keeps the target user account as it is; CyberArk Identity skips and does not update duplicate user accounts in the target application.

    • Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.

    • Select Deprovision users in this application when they are disabled in source directory to enable the feature.

      If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.

      Calendly does not support creating groups. You need to uncheck the Sync groups from local directory to target checkbox.

  7. Under Role Mappings, select Add to add the necessary role mappings.

  8. (Optional) If required, provide necessary mappings under Provisioning Script section.

  9. Click Save.

    Now the application is ready for SCIM provisioning.

Additional resources