Documentation

Single Sign-On (SSO)

Suggest Edits

Overview

Ternary supports all major SSO providers. This guide will assist SSO administrators in the creation and integration SSO providers with the Ternary platform. You can find specific details for SSO providers we have documented

Okta SSO Configuration

With Ternary's Okta integration, you can accomplish the following goals:

  • Ensure all authorized users of your Ternary Tenant have authenticated with your Okta (vs. Sign in with Google or Email/Password)
  • Auto provisioning new users within your Tenant as long as they come in via your Okta. You get to define the permissions that they will have once created.

Ternary's recommended integration includes using an app initiated authentication flow. Ternary does not support IdP-initiated authentication. This means that, even though your users will have a Ternary chiclet they can click on, they will still need to enter their email once they reach our landing page, to then be returned to Okta to complete SAML authentication. For more information on this, please read Auth0 documentation on IdP-initiated SSO.

Note: If you are going to use our SSO Groups to assign Roles and Scoped Views when users access Ternary please ensure step 8 item 3 is completed to pass Group Attribute statements from your IdP to Ternary.

Prerequisites

  • An Okta Super Admin who is able to create and assign SAML and Bookmark applications.
  • A corporate email domain which is the same one as used to provision users inside your Okta. At this time, only one email domain per SSO integration is supported, and only one SSO integration is supported per Ternary Tenant.
  • Contact your Customer Success representative before beginning this process to receive a Connection Name. This will be something like 'yourcompanyname-saml' and matches configuration that Ternary will create internally. Hereafter, we will refer to this as CONNECTION_NAME and you will have to fill it in various places.

Create the SAML Chiclet

In this step, you will create an invisible SAML chiclet that is responsible for handling the actual SAML integration behind the scenes. However, this will not be the chiclet that users actually click.

  1. Access your Okta Admin page and create a SAML integration. For more information on this task, view Okta documentation.
  2. Fill in the fields as follows:
    1. App Name: We suggest 'Ternary SAML'
    2. App Logo: As this will be not visible to users we recommend skipping the logo to indicate it is not for user consumption.
    3. App Visibility: Check the box that says "Do not display application icon to users."
  3. Continuing on to the next screen, you will now be able to fill in SAML information as follows.
    1. Single sign-on URL: https://auth.ternary.app/login/callback?connection=YOUR_CONNECTION_NAME
    2. Audience URI (SP Entity ID): urn:auth0:ternary:YOUR_CONNECTION_NAME
    3. Default RelayState: BLANK
    4. Name ID format: Unspecified
    5. Application username: Email
    6. Update application username on: Create and update
    7. Do not alter any Advanced Settings
    8. Attribute Statements:
      1. Transfer user's first and last name to Ternary as a SAML attribute
        Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Name format: Unspecified
        Value: user.firstName + " " + user.lastName
      2. Hit Add Another for a second mapping. This one will transfer user's email address to Ternary as a SAML attribute.
        Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        Name format: Unspecified
        Value: user.email
      3. If you are using Okta (https://help.okta.com/en-us/content/topics/apps/define-group-attribute-statements.htm) and Groups to assign Roles and Scoped Views (your company may use a different IdP and you will need to find documentation on how to include Group attribute): Hit Add Another for a second mapping. This one will transfer the Groups the user is associated with to Ternary as a SAML attribute.
        Name: Enter a name for the group attribute in your SAML app
        Name format: Unspecified
        Value: OktaGroupName
  4. Hit 'Preview the SAML Assertion' to confirm everything was entered correctly. Ensure there are no spaces in the attribute names and that the user email and name is coming through properly in the attributes.
  5. Continuing to the feedback section, you can select "internal app" and finish the process

Gather Information to Share with Ternary

Ternary needs to know a few pieces of information about your created SAML integration to proceed. On the SAML app you just created, access the Sign On tab:

Then, scroll down and to the right and locate the SAML Setup Instructions:

On the page that results, there are three items, all of which you must retrieve and share with Ternary: Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate. Ternary Customer Success will then create your SSO integration and bind it to your tenant.

Create the Bookmark Chiclet

In this step, you will create a bookmark chiclet linking to https://my.ternary.app for your users to click on.

  1. Access your Okta Admin page and add a Bookmark App via the App Catalog. For more information on this task, view Okta documentation.
  2. Fill in the fields as follows:
    1. Application label: We suggest 'Ternary'
    2. URL: https://my.ternary.app
    3. Leave all other boxes unchecked and proceed with 'Done'
  3. You arrive at the page of the newly created Bookmark App. Set a logo by clicking on the pencil next to the app's logo in the top left. You can download this image, then use it: https://ternary.app/style/images/logo.png

Assign Both Chiclets to Your Team

For both apps that you have just created:

  1. Navigate to the Assignments tab.
  2. Assign the app to the relevant team which should have access to Ternary. You can assign it to individuals or assign it to a group. Ternary recommends groups for ease of maintenance.

Make sure that everyone assigned the bookmark app is also assigned the SAML app, and vice versa.

Finish

After you hear back from Ternary Customer Success about the creation of the SSO integration, we can now validate our work.

An assigned user should now see one Ternary chiclet on their application screen.

Upon clicking it, you will reach the Ternary login screen. Users should be advised to type their Okta email address and to NOT click the Sign up button.
















When they hit next, they will not be asked for a password, but will instead be redirected to Okta. You should see an interstitial flash by like this:









The user should then find themselves within your Ternary tenant!


Google Workspace SSO Configuration

With Ternary's Google Workspace integration, you can accomplish the following goals:

Ensure all authorized users of your Ternary Tenant have authenticated with your Google Workspace
Auto provisioning new users within your Tenant as long as they come in via your Google Workspace. You get to define the permissions that they will have once created.

Prerequisites

  • A Google Workspace administrator authorized to create new SAML applications
  • A corporate email domain which is the same one as used to provision users inside your Google Workspace. At this time, only one email domain per SSO integration is supported, and only one SSO integration is supported per Ternary Tenant.
  • Contact your Customer Success Manager before beginning this process to receive a Connection Name. This will be something like 'yourcompanyname-saml' and matches the configuration that Ternary will create internally. Hereafter, we will refer to this as _CONNECTION_NAME _and you will have to fill it in various places.

Create Google Workspace SAML App

In your Google Workspace Admin console, Web and mobile apps, click the option 'Add custom SAML app'

Give your new custom SAML app a name and optional description and app icon. Click 'Continue'

Select 'Option 1: Download idP metadata' and forward the metadata bundle to your Ternary Customer Success Manager. Select 'Continue'

On the 'Service provider details' page, enter the following values noting your Customer Success Manager should have provided your unique connection name. Please contact Customer Success prior to completing your SAML integration if you have not received a connection name. Substitute your connection_name using the values below

Accept the defaults for the other fields and Select 'Continue'

On the 'Attributes' page, you will enter the user attribute mappings that will be included in the SAML token passed to Ternary. Add the following Google Directory attributes copying and pasting the attribute value below into the 'App attributes' field for each:

First name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname

Last name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname

Primary email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Optionally, if you have configured any Google Groups that you want reflected in Ternary that can be used in creating Scoped Views for your Ternary users, add the Google Groups in 'Group membership (optional)' section. Map your Google groups to 'App Attribute'

In this example, Google group 'Ternary SSO Group' is mapped to the group App attribute. More information on SSO integrated Scoped Views assignment found here. Select 'Finish'

The final configuration step is to make the Google SSO app available to your users. Select the option to 'Expand User access'

In this example, the 'Ternary SSO Group' from my Google directory will have access to the SAML SSO Google app. Click 'Save' to complete the configuration.

You should now see the app as being available 'ON' for your organization

We recommend testing your configuration using the Google 'TEST SAML LOGIN' option

If your test is unsuccessful, please open a Support case and include any technical details found at the bottom of the test page.

You can review the Google Workspace configuration steps in a short video tutorial here

Updated about 1 month ago