Who can use this feature?
- Global admins or users with advanced permissions
- Available on all plans
Single sign-on (SSO) allows your team to log into Totango using authentication from other systems.
Totango does not allow a user to be part of multiple services; users can access a single service. Additionally, multiple Totango instances cannot be connected to the same SSO source.
SSO user experience
Totango supports the following options:
- Slack
- Microsoft
- Salesforce (custom)
- SAML (other Identity Provider)
Once enabled, additional sign-in options appear on the Totango login screen. SSO options for Google, Slack, and Microsoft use OAuth and require no additional configuration.
Enable SSO using Salesforce credentials
Setting up sign on with Salesforce allows users to enter Salesforce credentials to authenticate with Totango.
A Totango user must already exist and have the same email address as used in the Salesforce user profile. Totango legacy Salesforce data connector does not work with Salesforce multi -factor authentication.
- From Settings, expand User Management > Authentication Settings.
- Select Salesforce, and click Edit Settings.
- Within the Salesforce Single Sign-on screen, choose preferences for user access:
- Allow only invited users into Totango
- Allow any Salesfroce.com user in your organization to access Totango
- Enter your Salesforce Organization ID.
Learn how to find your Salesforce Organization ID.
- Click Save.
Users can click the Salesforce icon on the Login screen to enter Salesforce credentials.
Enable SAML SSO
Setting up sign on with Salesforce allows users to enter company credentials via an identity provider to authenticate with Totango.
- From Settings, expand User Management > Authentication Settings.
- Select SSO, and click Edit Settings.
- Within the SAML Single Sign-on screen, enter the following:
-
Domain name: Your company domain name. It will be used to identify your company and redirect the user to the right identity provider page. You can configure several domains by using enter between the domain names.
- Identity provider login URL: Defines the URL your users will be redirected to when logging in.
- Identity provider issuer: The URL for the identity provider where your product will accept authentication requests. This value is optional in configuring some providers, such as Microsoft or Okta (see below). Read the provider documentation for more information.
- Identity provider certificate: The certificate from your Identity Provider (IP) contains the public key we will use to verify that your IP has issued all received SAML authentication requests. Within the certificate issued by your IP, please remove the "---------- BEGIN CERTIFICATE --------" and "---------- END CERTIFICATE --------" text and make sure there is no new line character in the certificate text.
- Entity ID: Use this value in your company identity provider.
- Callback URL: Defines the URL your users will be redirected back after their authentication was approved.
-
Domain name: Your company domain name. It will be used to identify your company and redirect the user to the right identity provider page. You can configure several domains by using enter between the domain names.
- Click Save.
- Test the changes in a new incognito browser tab, different browser, or a different computer.
User invitation experience for SAML SSO
Users can click the Login with SSO button (lock icon) on the Login screen to use SSO, or using the Direct Login Link (e.g., post this link on a company intranet).
- On the login screen, click the Login with SSO button (lock icon).
- User is redirected to the identity provider's page. If not already connected, enter credentials.
- User is redirected to Totango (logged in).
Configure SAML SSO for Okta
- Within Okta, add an SSO application.
- Within Okta general settings, set the following SAML settings:
- Single Sign On URL: https://api.totango.com/auth/saml/login/callback. For EU service use: https://api-eu1.totango.com/auth/saml/login/callback
- Audience Restriction: totango.com
- Name ID Format: Email
- Digest algorithm: SHA256 (default)
-
Default Relay State: This would be one of the domains you add to the SAML SSO settings in Totango.
- From the Sign On tab in Okta, click Identity Provider metadata.
- From the XML, copy everything between the two <ds:X509Certificate> tags that you see in the metadata.
- Within Totango's SAML Single Sign-on screen (see above), paste the XML into the Identity provider certificate box.
- From the XML, copy the ULR from the identity provider location.
- Within Totango's SAML Single Sign-on screen, paste the URL into the Identity Provider login URL box.
- Enter the domain name (refer to default relay state in SAML Settings within Okta).
- Click Save.
Force SSO authentication
Enable this option to enforce SSO login as the only option for authentication. Totango will prevent users from entering Totango credentials on the login screen.
Make sure you have users set up with your company SSO credentials before enabling this option.
Team members invited to Totango when SAML SSO is enforced will be able to log in only using their SAML SSO credentials.
Troubleshooting
- Verify Default Relay State: Ensure that the Default Relay State in your source configuration is set correctly. This should match your company domain or Totango URL name to direct users appropriately after authentication. This can impact connecting to Totango through an SSO application portal.
- Check Identity Provider Issuer: Confirm that the Identity Provider Issuer is set to 'totango.com' in your SSO settings.
- Add the name of your Totango service from the service URL.
Refer here for more detailed information and additional steps.
FAQs
Question: When I click on Totango app inside my Okta dashboard, it takes me to Totango credentials login page and requires my users to login with SSO. How do I fix this?
Answer: Ensure you have the correct value in Okta configuration within Default Relay State (see above). In order for Okta to direct to the Totango home page, the Default Relay State value should be your company domain.