SAML Single-Sign-On

Single-Sign-On Authentication (or SSO Authentication) allows you to log in to multiple applications using a single set of credentials. If your administrator has enabled or required SSO for your organization, you can use your company credentials to log in to Totango products. 

Value

• SSO allows your company to enforce sophisticated security policies, ensuring that users are only logging using authorized methods. 
• SSO enable a centric and easy way to manage and control users authorization and permissions.
• Users no longer have to remember a separate username and password combination for each app they use.
• Users are maintaining a single set of credentials to all applications.

Use Cases

• As a user, I am able to login to Totango using my company credentials.
  
• As an admin, I am able to manage my company users in my company tools and application and have better control over user authentication.
• As an admin, I am able to define advanced security policies (like MFA) in my company IDP which users have to follow in all applications including Totango.
• As an admin, I can enforce SSO authentication on all users.
  
  

Where To Find It?

Users are able to find the option to login using their company SSO in Totango login page.

How To Use It?

• On Totango log in page, click on "My Company / SSO" button
• Enter your company domain (the one that your company email ends with)
• You will be redirected to your company identity provider page. 
• Once your credentials are approved by your company identity provider, you will be logged into Totango application.
  
  
  
  
  

How To Configure It?

Only Totango global admin can configure SAML SSO in Totango. 

These are the steps to configure SAML SSO in Totango:

• Go to Authentication settings in Totango Users page.
  
  
  
• Click on SAML SSO edit settings.
  
  
  
  
  SAML parameters which need to be defined in Totango:
   
  Domain name - your company domain name. It will be used to identify your company and redirect the user to the right identity provider page.
  Note, you can configure several domains by using enter between the domain names.
   
  
  
  Identity Provider Login URL - This value defines the URL your users will be redirected to which logging in.
  Identity Provider Issuer - This value is the URL for the identity provider where your product will accept authentication requests. This value is optional in configuring some providers (like Microsoft, Okta,...). Read the provider documentation to figure out whether "Identity Provider Issuer" is mandatory or optional.
  Identity Provider Certificate - This certificate contains the public key we will use to verify that your identity provider has issued all received SAML authentication requests.
  Please remove the "---------- BEGIN CERTIFICATE --------" and "---------- END CERTIFICATE --------" text and make sure there is no newline character in the certificate text.
  
  Totango parameters which need to be defined in your identity provider:
  Entity ID - This value is Totango identifier in your company identity provider.
  Callback URL - This value defines the URL your users will be redirected back after their authentication was approved.

• Save your settings, and test it by logging into Totango using SAML SSO from an incognito tab, different browser, or a different computer. 
• You can remove the configuration by clicking on the "Remove Configuration" button.

Enforce SAML SSO
To ensure that users comply with company security policies, global admins have the option to enforce SAML SSO as the only login method users can use to access Totango.
Once enforcing SAML SSO users will not be able to log in using a Totango user and password.

Onboarding the rest of your team is easy by ensuring they comply with your companies security policies, using only your company SSO method to login to the app. Team members invited to Totango with SAML SSO enforced will be able to log in only using their SAML SSO credentials.

When SAML SSO is enforced, these are the activities an invited user should do:

• Find the invitation email in your inbox.
• If you are new to Totango, click the "Start Using Totango" button in the user invitation email. 
  
• If you are already a Totango user which was added to a new team, click the "Go to team..." button. 
  
• On the account creation screen, log in using "My Company / SSO" button.
• You will be redirected to your identity provider page, if you are not already connected, enter your credentials
• You successfully logged into Totango.
  
  
  

Limitations

• Totango user management system does not allow a user to be part of multiple services. It means that the user can be only defined and access a single service.

For more information, contact your CSM.