As a Tethr Admin user you can enable SAML 2.0 single sign-on (SSO) as an added security layer within your team or organization’s Tethr account. SAML SSO helps you effortlessly manage your team or organization’s access to all the products you use.
With SSO, your users can use one set of login credentials (e.g., username/email and password) to access multiple applications. SSO authenticates your users once for all applications they have rights to, eliminating the need for multiple logins or managing multiple username/password credentials each time they switch applications in the same session.
SAML SSO benefits:
Improves users’ online experience, allowing them to quickly login to Tethr with a single sign-on while promoting their privacy.
Reduces your organization’s administrative cost to maintain user account information.
Transfers the risk of managing multiple user accounts from the business service provider to the identity provider (IdP).
SSO doesn't require maintenance and synchronization of user account information between your systems.
What we'll cover:
- Forcing SSO by specific email domain
- Auto SSO
- Link a Tethr user to an identity provider
- Bypassing SSO
- Signing out of Tethr
Before you begin:
Before you can configure SAML 2.0 SSO for your organization, you'll need:
- to be an Administrator of your organization’s Tethr users so you can activate users and test the integration
- an identity provider account with Administrator privileges
- an identity provider that is SAML 2.0 compliant and is accessible via a public IP address.
General steps to configure your IdP for SAML 2.0 SSO
This section shows you how to configure the identity provider to enable SAML single sign-on in Tethr.
Within your chosen IdP you’ll create a new SAML 2.0 Web application and add Tethr.
For Application Name use "Tethr".
Tethr’s logos can be found at https://tethr.com/brand.
Use https://mycompanyname.tethr.com/AuthServices/Acs for ACS URL.
Use https://mycompanyname.tethr.com/AuthServices for Entity ID.
Use https://mycompanyname.tethr.com/ for Start URL.
Tethr needs the following attribute included in the SAML token: user.id needs to contain the user’s primary email address.
Required: Ensure the encryption signature algorithm be SHA-256 or stronger. Tethr does not support SHA-1.
Finally, provide your Tethr Integrations Specialist with the identity provider (IdP) SAML metadata file.
Forcing SSO by specific email domain
We recommend the organizations who work with Tethr enforce the use of SSO. To enforce SSO in your organization, provide a list of email domains you’d like SSO enforced on to your Tethr Integrations Specialist.
Auto SSO is useful when all of your organization’s user accounts are utilizing single sign-on to log in to Tethr. Auto SSO will automatically attempt to log in your users, bypassing Tethr’s login page and redirecting them to your identity provider’s login page. We recommend you enable auto SSO if every user in your organization is logging in with SSO.
Link a Tethr user to an identity provider
This section is for those who already have a Tethr user account with an active username and password.
- First, the user will need to sign in to Tethr via their identity provider.
- Then, the user should sign in to Tethr using their existing Tethr username and password.
a) If the organization has enforced the use of SSO for its users, Tethr will automatically redirect the user to sign in to their identity provider. b) If the organization has not enforced the use of SSO for its users, the user will need to go to their Profile page and select link account to link the accounts together.
- Tethr will then link the two accounts together.
If you’re managing SSO for your organization and need to troubleshoot or modify Tethr’s SSO configuration, you may need to bypass SSO.
In the scenario where either or both the forced SSO domain list and auto SSO are enabled, users will always be able to sign in to Tethr directly by visiting: mycompanyname.tethr.com/login.
When a user is in the forced SSO domain list and they attempt to sign in with their Tethr username and password, they’ll automatically be redirected to their IdP for authentication.
Signing out of Tethr
When configuring your identity provider, you have the option of setting it up to sign you out of your identity provider when you sign out of Tethr. To configure your SSO in this manner, provide the single sign-on logout URL to your Tethr Integrations Specialist.
Elevated admin permission for User Account Control (UAC)
An SSO user who is a Tethr Admin and needs to reset a user’s password, change a user’s name, or perform any other user management functions in your organization, will no longer be prompted for additional authorization.
Changing and resetting passwords
You cannot reset a user password if that user is configured for SSO.
If you need to force a user’s immediate logout, use the reset password option on the user’s Profile under Users in Tethr Settings.
Tethr account activation and sign-in experience
When a Tethr user needs to be activated and they’re using SSO, they should utilize the Sign-in with SSO button rather than selecting the Activate account button, as shown below:
If you’ve enabled SSO in your organization, your users’ login page will include a Sign in with SSO option as shown below: