As a Tethr Admin user you can configure SAML 2.0 single sign-on (SSO) using OneLogin identity provider.
What we'll cover:
- Add Tethr as a new SAML 2.0 Web application
- Create a SAML integration
- Provide the IdP metadata to Tethr
- Configure SAML SSO for a specific IdP
Before you begin:
Before you can configure SAML 2.0 SSO in OneLogin, you'll need:
- to be an Administrator of your organization’s Tethr users so you can activate users and test the integration.
- a OneLogin account with Superuser or Account owner privileges.
Configuring OneLogin IdP for SAML 2.0 SSO
This section shows you how to configure the identity provider, OneLogin, to enable SAML single sign-on in Tethr.
Within OneLogin you’ll first add Tethr as a new SAML 2.0 Web application. Finally, you’ll set up a SAML integration and provide the IdP metadata to Tethr.
Add Tethr as a new SAML 2.0 Web application
To begin, you’ll need to sign in to your existing OneLogin identity provider account using your administrative rights.
Select Applications from the main menu.
On the Applications page, select the Add Application button.
Under Find Applications, enter “SAML test connector” in the search bar and select the option SAML Test Connector (Advanced) from the list of options.
Within the Portal configuration page, you’ll give your App a name and description and upload an optional logo.
a) For the App name, use Tethr.
b) Optional: Tethr logos can be found at https:/Tethr.com/brand/ to use for your icons.
c) Optional: You can enter a description to differentiate the Tethr application from other providers’ applications. Then select Save.
Create a SAML integration
Choose the SSO tab in the lefthand navigation under Enable SAML2.0.
In the SAML Signature Algorithm dropdown menu choose SHA-512 to increase the strength of the encryption signature algorithm. Then select Save.
Required: While OneLogin only requires you to enter a value for two of the fields below, Tethr requires you enter all three of the following values including the Audience (EntityID), the ACS (Consumer) URL Validator and the ACS (Consumer) URL.
Next, on the Configuration tab, enter https://mycompanyname.tethr.com/AuthServices as your Audience (EntityID).
In the ACS (Consumer) URL Validator field, enter an asterisk.
Then enter https://mycompanyname.tethr.com/AuthServices/Acs in the ACS (Consumer) URL field as your single sign-on URL.
Under the Parameters tab select the “+” button to add a new field parameter. In the new field pop-up:
a) Enter user.id as the Field Name.
b) Check the box to “Include in SAML assertion” and Save your entries.
c) On the pop-up’s next screen, search for and add the Field Value: Email and Save your entry.
In the More Actions menu, select the SAML Metadata option which downloads an XML file of your SAML metadata. You will provide this XML file to your Tethr Integrations Specialist.
Provide the IdP metadata to Tethr
To complete OneLogin SAML SSO configuration for your organization, you'll need to provide Tethr the identity provider (IdP) SAML metadata file you created above. This file helps Tethr understand how to communicate with OneLogin and how to request user authentication.
Tethr account activation and sign-in experience for OneLogin
When a Tethr user needs to be activated and they’re using SSO, they should utilize the Sign in with OneLogin button rather than selecting the Activate account button, as shown below:
If you’ve enabled SSO in your organization, your users’ login page will include a Sign-in with OneLogin option as shown below: