Overview
Single sign-on (SSO) is a powerful tool that allows your employees to use a single set of credentials (name and password) to sign in and access multiple applications and websites. This not only simplifies their access but also allows you to manage their credentials, thereby increasing your security and access control. In short, SSO is a win-win for both your employees and your organization.
Plans: Enterprise. If you're an Enterprise member and need help finding the SSO option, please get in touch with our support team.
Your employees can bid farewell to the days of remembering multiple passwords and resetting forgotten ones - they can use SSO to access the software they need without signing in to each one.
Where to find
Navigate to Team Management from the settings menu and click on edit SSO settings.
Instructions for specific identity providers
Log in to your Google admin console. There click the small arrow next to the “Apps” menu item on the left side panel, on the expanded menu click the “Web and mobile apps” item.
On the “Web and mobile apps” page click on the “Add app” button and from the presented menu select the “Add custom SAML app“ option.
On the “Add custom SAML app” page, give your app a meaningful name (e.g. tgndataSSO) and click the continue button on the right bottom of your screen.
On the next page copy and store for later usage the “SSO URL”, “Entity ID” and “Certificate” values, by clicking the little copy icon that exists on their right. When finished click the “Continue” button.
On another tab of your browser go to the tgndata console, log in if you are not logged in,
click the little human icon on the top right corner and select the “User Managment” item of the menu that poped up.
You will be redirected to the User Management page, there click the SSO edit button (the one with the small edit icon) to open the SSO edit dialog.
On the “SSO settings” modal select the “Identity Provider” tab. There paste the “Entity ID” from Google to the “Identity Provider ID” field, the “SSO URL” from Google to the “Single Sign On endpoint” field, and finally paste the “Certificate” value from Google to the “Certificate” field.
Then select the “Service Provider” tab, there copy the “Service Provider ID” and “Assertion Consumer Service” values cause you will need them for the next step.
Go back to the “Google” tab, there add from the copied values from the previous step the “Service Provider ID” value as the “Entity ID” and the “Assertion Consumer Service” value as the “ACS”. Make sure that the “Name ID” is on “Basic Information > Primary email” and “Name ID Format” is “EMAIL”. Then click the “Continue” button at the bottom of your screen.
Optionally (and advanced), on the next page, if you want to limit access to the tgndata platform based on a specific claim’s attributes value (e.g.Department) then make sure you add that mapping, give an “App attributes” name to it (e.g. department) and make sure you copy that name for later usage. Click the “Finish” button at the bottom of your screen.
Go back to the tgndata console tab and on the “SSO settings” modal select the “Identity Provider” tab.
There If you want to limit access to the tgndata platform based on a specific claim’s value (e.g. Department) then check the “Restrict for groups” checkbox, put on the “Attribute Name” field the name value of the claim you copied earlier from Google (e.g. department) and on the “Allowed values” field put the possible source values that the claim should be allowed to have.
Click the “SSO” switch to be enabled and then click the “Save” button on the bottom part of the modal.
Microsoft Azure Active Directory
Log in to your Microsoft Azure portal and go to the Azure Active Directory management page.
There select the Enterprise applications option.
On the Enterprise applications page click the “New application” button.
In the New application page click the “Create your own application” button on the top left corner.
On the Create your own application side panel, give a name to your application, and make sure that the “Integrate any other application you don’t find in the gallery (Non-gallery)” option is selected and click the “Create” button.
You will be redirected to your new application’s Overview page, there click the “2. Set up single sign on” button of the “Getting Started” section.
On the Single Sign-on page, select the “SAML” option from the “Select a single sign-on method” section.
On the Saml-based Sign-on configuration page, click the small “edit” button on the “Basic SAML Configuration” card of the “Set up Single Sign-On with SAML” section to open the “Basic Saml configuration” side panel and on another tab of your browser go to the tgndata console.
On the tab where you have the tgndata console, log in if you haven’t already, click the little human icon on the top right corner and select the “User Managment” item of the menu that popped up.
You will be redirected to the User Management page, there click the SSO edit button (the one with the small edit icon) to open the SSO edit dialog.
On the “SSO settings” modal select the “Service Provider”, there copy the “Service Provider ID”, “Assertion Consumer Service” and optionally “Single Log Out endpoint” values cause you will need them for the next step.
Return to the “Azure” tab where the Basic SAML Configuration is open. Add from the copied values from the previous step the “Service Provider ID” as the “Identifier”, the “Assertion Consumer Service” as the “Reply URL” and optionally the “Single Log Out endpoint” as the “Logout Url”.
Then click the “Save” button that exists on the top left corner of the side panel. This will save and close the side panel.
Scroll down on the Saml-based Sign-on configuration page and click the small “edit” button on the “Attributes & Claims” card to open the Attributes & Claims configuration page.
There you click on the “Unique User Identifier” row of the “Required claim” section of the “Attributes & Claims” page to open the Manage Claim page.
On the Manage Claim page, you need to make sure that have the user.mail selected as the “Source attribute” and then click the “Save” button.
Optionally (and advanced), if you want to limit access to the tgndata platform based on a specific claim’s source attributes value (e.g. user.assignedroles) then make sure you have that claim created in the “Attributes & Claims” page and copy for later usage the “Name” of that claim (e.g. roles).
Head back to the Saml-based Sign-on configuration page, scroll down, and click the “Download” button next to the “Certificate (Base64)” of the “SAML Certificates”, this will trigger the download of a certificate file which we need in a later step.
Then scroll down on the SAML-based Sign-on Configuration page and copy the “Login URL”, “Azure AD identifier” and optionally “Logout URL” values.
Those values are needed for later steps.
Go to the tgndata console tab, click on the “SSO settings” modal select the “Identity Provider” tab. There paste the “Azure AD identifier” from Azure to the “Identity Provider ID” field, and the “Login URL” from Azure to the “Single Sign On endpoint” field, optionally you can click the “Single Log Out” check box and paste the “Logout URL” from Azure to the “Single Log Out endpoint” field.
Then open the certificate you downloaded earlier from Azure with your favorite text editor (Notepad, Wordpad, Notepad++, etc) and copy its content, paste that content to the “Certificate” field of the “SSO settings” modal.
Optionally (and advanced), if you want to limit access to the tgndata platform based on a specific claim’s value (e.g. user.assignedroles) then check the “Restrict for groups” checkbox, put on the “Attribute Name”
field the “Name” value of the claim you copied earlier from Azure portal (e.g. roles) and on the “Allowed values” field put the possible source values that the claim should be allowed to have.
Click the “SSO” switch to be enabled and then click the “Save” button on the bottom part of the modal.