https://support.tethr.com/hc/en-us/categories/115002448427-Admins Admins
https://support.tethr.com/hc/en-us/sections/360008667094-Configure-access-security Configure access & security

Configure SAML 2.0 single sign-on (SSO) in Okta

New feature: content organization, collaboration and filtering

This article describes a new feature that may not be available to all users. If you don't see this feature and want to learn more, please contact your Tethr admin.
Section only

As a Tethr Admin user you can configure SAML 2.0 single sign-on (SSO) using Okta identity provider.


What we'll cover:

  1. Configuring Okta IdP for SAML 2.0 SSO

    1. Add Tethr as a new SAML 2.0 Web application
    2. Create a SAML integration
    3. Provide the IdP metadata to Tethr
  2. Tethr account activation and sign-in experience

  3. Configure SAML SSO for a specific IdP

Getting started: In the SAML SSO configuration example in this article, Tethr is the service provider and Okta is the identity provider (IdP). The majority of SAML 2.0 compliant identity providers require the same information about the service provider for setup.


Before you begin:

Before you can configure SAML 2.0 SSO in Okta, you'll need:

  • to be an Administrator of your organization’s Tethr users so you can activate users and test the integration.
  • an Okta account with Administrator privileges.

Configuring Okta IdP for SAML 2.0 SSO

This section shows you how to configure the identity provider, Okta, to enable SAML single sign-on in Tethr.
Within Okta you’ll first add Tethr as a new SAML 2.0 Web application. Finally, you’ll set up a SAML integration and provide the IdP metadata to Tethr.


Add Tethr as a new SAML 2.0 Web application

To begin, you’ll need to sign in to your existing Okta identity provider account using your administrative rights.

  1. Select Applications from the main menu.

  2. On the Applications page, select the Add Application button.

    Add_Tethr_as_a_new_SAML_2.0_application_in_Okta___Tethr_customer_support.png

  3. Within the Add Applications page, select the Create New App button.

    Create_new_Tethr_web_application_in_Okta___Tethr_customer_support.png

  4. You’ll see a Create a new Application Integration pop-up, where you’ll choose Web as the platform.

  5. Choose SAML 2.0 as the sign-on method.

  6. Then select Create.

    Configure_you_new_Tethr_web_application_integration_in_Okta___Tethr_customer_support.png


Create a SAML integration

  1. On the Create SAML integration page under the General Settings tab, you’ll give your App a name and description and upload an optional logo.

    a) For the App name, use Tethr.
    b) Optional: Download this Tethr logo image to use as the App image: TethrLogo-Blue.png
    c) Select Next to configure SAML.

    Create_SAML_integration_in_Okta_general_settings___Tethr_customer_support.png

  2. On the Configure SAML tab under General SAML Settings section, enter https://mycompanyname.tethr.com/AuthServices/Acs as your single sign-on URL.
  3. Then enter https://mycompanyname.tethr.com/AuthServices as your Audience URI (SP Entity ID).

    Enter_URLs_to_configure_SAML_web_application_integration_in_Okta___Tethr_customer_support.png

  4. Under the Attribute Statements section:

    a) Enter user.id as the Name.
    b) Enter user.login as the first Value.

    Enter_userid_anduser_login_value_in_Okta___Tethr_customer_support.png

    Proceed through to complete the setup process. When you reach the Sign On tab, under Settings in the Sign On Methods section you’ll see a note to View Setup Instructions.

  5. Select View Setup Instructions.

    Choose_to_View_setup_instructions_in_Okta___Tethr_customer_support.png

  6. Copy all contents within the Provide the following IDP metadata to your SP provider field, and send this metadata to your Tethr Integrations Specialist.

    Provide_the_IdP_metadata_from_Okta_to_your_Tethr_customer_support_specialist.png


Provide the IdP metadata to Tethr

To complete SAML SSO configuration for your organization, you'll need to provide Tethr the identity provider (IdP) SAML metadata file you created above, which helps Tethr understand how to communicate with Okta and how to request user authentication.


Forcing SSO by specific email domain

We recommend the organizations who work with Tethr enforce the use of SSO. To enforce SSO in your organization, provide a list of email domains you’d like SSO enforced on to your Tethr Integrations Specialist.


Tethr account activation and sign in experience

When a Tethr user needs to be activated and they’re using SSO, they should utilize the Sign in with Okta button rather than selecting the Activate account button, as shown below:

Tethr_activate_your_account_sign-in_with_Okta_SSO.png

 

If you’ve enabled SSO in your organization, your users’ login page will include a Sign in with Okta option as shown below:

Tethr_sign-in_with_Okta_SSO.png


Configure SAML SSO for a specific IdP