Ternary allows users to login via Okta as Single Sign-On (SSO) using Express Configuration. This document details how to configure SSO for your Okta organization.

Prerequisites

In order to proceed with configuring login with SSO through Okta, you must:

• Have access to an Okta tenant
• Be an Okta administrator to that tenant
• Have an active user in Ternary

Supported Features

Service Provider (SP)-Initiated Authentication (SSO) Flow - This authentication flow occurs when the user attempts to log in to the application from Ternary.

Identity Provider (IdP)-Initiated Authentication (SSO) Flow - This authentication flow occurs when the user uses their Okta portal page to launch Ternary.

Just-In-Time (JIT) Provisioning - Users are automatically created on their first login. Email and name attributes are provisioned. This requires additional configuration from our team, please request it when you reach out for setup.

Universal Logout - When enabled, Okta can terminate user sessions and tokens when risk is detected or when an admin initiates logout.

Configuration Steps

Step 1: Request Okta Setup Access

Send an email to [email protected] with the email address you want to use for the Okta configuration. This should be the email you already log into Ternary with. You can request any further desired SSO features from us at this time:

• Domain Binding (Recommended): Specify one or more domains that are associated with your organization. Then, when users log in by going to https://my.ternary.app, entering an email matching that domain will automatically begin authentication with Okta. Without this, you will have to have users launch Ternary via a special bookmark link tied to your organization, or launch Ternary from their Okta portal, for them to access single sign-on.
• Just-in-time (JIT) Provisioning (Recommended): Allow users who have not signed in to Ternary before to automatically get a new account within your Ternary tenant. Additionally, specify what role they should have. They can be a Basic User, Full Access User, or Tenant Admin. Review the list of roles to make your choice. Without opting for this, each user will still need to be explicitly invited by email to your Ternary tenant for them to gain access.
• Disable other login methods: You can request for this SSO connection to be the exclusive method for authenticating into your tenant. For example, usernames and passwords or social-based logins would not be available in this case.

Step 2: Receive Credentials from Ternary

The Ternary team will create an organization account on our customer identity provider, Auth0, and reply with an organization name unique to your company. Record this organization name for later use.

Step 3: Add Ternary Application in Okta

1. In Okta, go to Applications → Browse App Catalog
2. Search for Ternary and click Add Integration
3. Click Done

Step 4: Express Configure SSO

1. On the newly created Ternary application, click the Sign On tab
2. Click Express Configure & Universal UL
3. In the window that appears, enter the organization name you saved on Step 2.
4. When prompted for credentials, sign in exactly the same way you sign in to Ternary. (If you use Google, then click Sign in with Google, if you use a password, enter the email and password, etc.)
5. On the next screen, approve the connection with Ternary to complete the setup.

Step 5: Enable Universal Logout

On the Sign On tab of the Ternary application, check the box for "Okta system or admin initiates logout" and click Save.

Step 6: Post configuration by our team

Send an email to [email protected] to confirm that you have completed the Express Configuration setup. Our team will then provision the additional single sign-on features you have requested.

Step 7: Assign Users and Test

Once Ternary has confirmed the setup is complete:

1. Assign the admin account to the Ysis application in Okta
2. Assign any other users or groups that should have access to Ternary
3. Test the login flow by launching Ternary within Okta, or by navigating to the bookmark link you were sent by our team. In either case, you should be automatically redirected to your Okta SSO login.
4. (If applicable) Test that your JIT configuration works by provisioning a user who is not already a member of your Ternary tenant in Okta, and having them log in via portal or your special bookmark link. They should immediately be given access to your tenant with no further manual steps required.

If you could run all the steps above, you are done! If you do run into any trouble, reach out to [email protected] with any screenshots or error logs you see.