Single Sign-On (SSO)
Overview
Ternary supports all major SSO providers. This guide will assist SSO administrators in the creation and integration SSO providers with the Ternary platform. You can find specific details for SSO providers we have documented
Okta SSO Configuration
With Ternary's Okta integration, you can accomplish the following goals:
- Ensure all authorized users of your Ternary Tenant have authenticated with your Okta (vs. Sign in with Google or Email/Password)
- Auto provisioning new users within your Tenant as long as they come in via your Okta. You get to define the permissions that they will have once created.
Ternary's recommended integration includes using an app initiated authentication flow. Ternary does not support IdP-initiated authentication. This means that, even though your users will have a Ternary chiclet they can click on, they will still need to enter their email once they reach our landing page, to then be returned to Okta to complete SAML authentication. For more information on this, please read Auth0 documentation on IdP-initiated SSO.
Note: If you are going to use our SSO Groups to assign Roles and Scoped Views when users access Ternary please ensure step 8 item 3 is completed to pass Group Attribute statements from your IdP to Ternary.
Prerequisites
- An Okta Super Admin who is able to create and assign SAML and Bookmark applications.
- A corporate email domain which is the same one as used to provision users inside your Okta. At this time, only one email domain per SSO integration is supported, and only one SSO integration is supported per Ternary Tenant.
- Contact your Customer Success representative before beginning this process to receive a Connection Name. This will be something like 'yourcompanyname-saml' and matches configuration that Ternary will create internally. Hereafter, we will refer to this as CONNECTION_NAME and you will have to fill it in various places.
Create the SAML Chiclet
In this step, you will create an invisible SAML chiclet that is responsible for handling the actual SAML integration behind the scenes. However, this will not be the chiclet that users actually click.
- Access your Okta Admin page and create a SAML integration. For more information on this task, view Okta documentation.
- Fill in the fields as follows:
- App Name: We suggest 'Ternary SAML'
- App Logo: As this will be not visible to users we recommend skipping the logo to indicate it is not for user consumption.
- App Visibility: Check the box that says "Do not display application icon to users."
- Continuing on to the next screen, you will now be able to fill in SAML information as follows.
- Single sign-on URL: https://auth.ternary.app/login/callback?connection=YOUR_CONNECTION_NAME
- Audience URI (SP Entity ID): urn:auth0:ternary:YOUR_CONNECTION_NAME
- Default RelayState: BLANK
- Name ID format: Unspecified
- Application username: Email
- Update application username on: Create and update
- Do not alter any Advanced Settings
- Attribute Statements:
- Transfer user's first and last name to Ternary as a SAML attribute
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Name format: Unspecified
Value: user.firstName + " " + user.lastName - Hit Add Another for a second mapping. This one will transfer user's email address to Ternary as a SAML attribute.
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name format: Unspecified
Value: user.email - If you are using Okta (https://help.okta.com/en-us/content/topics/apps/define-group-attribute-statements.htm) and Groups to assign Roles and Scoped Views (your company may use a different IdP and you will need to find documentation on how to include Group attribute): Hit Add Another for a second mapping. This one will transfer the Groups the user is associated with to Ternary as a SAML attribute.
Name: Enter a name for the group attribute in your SAML app
Name format: Unspecified
Value: OktaGroupName
- Transfer user's first and last name to Ternary as a SAML attribute
- Hit 'Preview the SAML Assertion' to confirm everything was entered correctly. Ensure there are no spaces in the attribute names and that the user email and name is coming through properly in the attributes.
- Continuing to the feedback section, you can select "internal app" and finish the process
Gather Information to Share with Ternary
Ternary needs to know a few pieces of information about your created SAML integration to proceed. On the SAML app you just created, access the Sign On tab:
Then, scroll down and to the right and locate the SAML Setup Instructions:
On the page that results, there are three items, all of which you must retrieve and share with Ternary: Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate. Ternary Customer Success will then create your SSO integration and bind it to your tenant.
Create the Bookmark Chiclet
In this step, you will create a bookmark chiclet linking to https://my.ternary.app for your users to click on.
- Access your Okta Admin page and add a Bookmark App via the App Catalog. For more information on this task, view Okta documentation.
- Fill in the fields as follows:
- Application label: We suggest 'Ternary'
- URL: https://my.ternary.app
- Leave all other boxes unchecked and proceed with 'Done'
- You arrive at the page of the newly created Bookmark App. Set a logo by clicking on the pencil next to the app's logo in the top left. You can download this image, then use it: https://ternary.app/style/images/logo.png
Assign Both Chiclets to Your Team
For both apps that you have just created:
- Navigate to the Assignments tab.
- Assign the app to the relevant team which should have access to Ternary. You can assign it to individuals or assign it to a group. Ternary recommends groups for ease of maintenance.
Make sure that everyone assigned the bookmark app is also assigned the SAML app, and vice versa.
Finish
After you hear back from Ternary Customer Success about the creation of the SSO integration, we can now validate our work.
An assigned user should now see one Ternary chiclet on their application screen.
Upon clicking it, you will reach the Ternary login screen. Users should be advised to type their Okta email address and to NOT click the Sign up button.
When they hit next, they will not be asked for a password, but will instead be redirected to Okta. You should see an interstitial flash by like this:
The user should then find themselves within your Ternary tenant!
Google Workspace SSO Configuration
With Ternary's Google Workspace integration, you can accomplish the following goals:
- Ensure all authorized users of your Ternary Tenant have authenticated with your Google Workspace.
- Auto provisioning new users within your Tenant as long as they come in via your Google Workspace.
- Define the Ternary role your users will be assigned when auto provisioned.
Prerequisites
- A Google Workspace administrator authorized to create new SAML applications
- A corporate email domain which is the same one as used to provision users inside your Google Workspace. At this time, only one email domain per SSO integration is supported, and only one SSO integration is supported per Ternary Tenant.
- Contact your Customer Success Manager before beginning this process to receive a Connection Name. This will be something like 'yourcompanyname-saml' and matches the configuration that Ternary will create internally. Hereafter, we will refer to this as _CONNECTION_NAME _and you will have to fill it in various places.
Create Google Workspace SAML App
In your Google Workspace Admin console, Web and mobile apps, click the option 'Add custom SAML app'
Give your new custom SAML app a name and optional description and app icon. Click 'Continue'
Select 'Option 1: Download idP metadata' and forward the metadata bundle to your Ternary Customer Success Manager. Select 'Continue'
On the 'Service provider details' page, enter the following values noting your Customer Success Manager should have provided your unique connection name. Please contact Customer Success prior to completing your SAML integration if you have not received a connection name. Substitute your connection_name using the values below
- ACS URL: https://auth.ternary.app/login/callback?connection=connection_name
- Entity ID: urn:auth0:ternary:connection_name
Accept the defaults for the other fields and Select 'Continue'
Accept the defaults for the other fields and Select 'Continue'
On the 'Attributes' page, you will enter the user attribute mappings that will be included in the SAML token passed to Ternary. Add the following Google Directory attributes copying and pasting the attribute value below into the 'App attributes' field for each:
First name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname
Last name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname
Primary email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Optionally, if you have configured any Google Groups that you want reflected in Ternary that can be used in creating Scoped Views for your Ternary users, add the Google Groups in 'Group membership (optional)' section. Map your Google groups to 'App Attribute'
In this example, Google group 'Ternary SSO Group' is mapped to the group App attribute. More information on SSO integrated Scoped Views assignment found here. Select 'Finish'
The final configuration step is to make the Google SSO app available to your users. Select the option to 'Expand User access'
In this example, the 'Ternary SSO Group' from my Google directory will have access to the SAML SSO Google app. Click 'Save' to complete the configuration.
You should now see the app as being available 'ON' for your organization
We recommend testing your configuration using the Google 'TEST SAML LOGIN' option
If your test is unsuccessful, please open a Support case and include any technical details found at the bottom of the test page.
You can review the Google Workspace configuration steps in a short video tutorial here
Microsoft Entra ID SSO Configuration
With Ternary's Microsoft Entra ID integration, you can accomplish the following goals:
- Ensure all authorized users of your Ternary Tenant have authenticated with your Entra ID.
- Auto provisioning new users within your Tenant as long as they come in via Azure Entra ID.
- Define the Ternary role your users will be assigned when auto provisioned.
Prerequisites
- An Azure Entra ID administrator authorized to create new SAML applications
- A corporate email domain which is the same one as used to provision users inside your Azure Entra ID directroy. At this time, only one email domain per SSO integration is supported, and only one SSO integration is supported per Ternary Tenant.
- Contact your Customer Success Manager before beginning this process to receive a Connection Name. This will be something like 'yourcompanyname-saml' and matches the configuration that Ternary will create internally. Hereafter, we will refer to this as _CONNECTION_NAME _and you will have to fill it in various places.
Create Azure Entra ID Enterprise Application
In your Azure console, navigate to Microsoft Entra ID, select 'Enterprise Applications' and then select the option to create a 'New Application'
Select the option to 'Create your own application'
Provide a name for the Ternary SSO SAML application
After your new enterprise application is created, select the 'Set up single sign on' tile
Select the 'SAML' single sign-on method tile
Edit the 'Basic SAML Configuration' box. Add the 'Identifier (Entity ID)' and 'Reply URL (Assertion Consumer Service URL)' provided to you by Ternary CS. Save and close the configuration.
Edit the 'Attributes & Claims' box, confirm your claims match the following default configuration claims and then close the 'Attributes & Claims' box.
Finally, in the ‘SAML Certificates’ box, select the option to ‘Download the Federation Metadata XML’ and provide the downloaded file to your Ternary Success Manager
You have now completed the Azure Microsoft Entra ID configuration. Ternary CS will coordinate a time to test your SAML integration.
Updated 4 days ago